CVE-2021-38502

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-38502

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-38502.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-38502

Downstream

DEBIAN-CVE-2021-38502

DLA-2874-1

DSA-5034-1

RHSA-2021:3838

RHSA-2021:3839

RHSA-2021:3840

RHSA-2021:3841

SUSE-SU-2021:4150-1

UBUNTU-CVE-2021-38502

USN-5248-1

openSUSE-SU-2021:1635-1

openSUSE-SU-2021:4150-1

Related

Published

2021-11-03T01:15:07Z

Modified

2025-08-09T19:01:28Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. This vulnerability affects Thunderbird < 91.2.

References

Affected packages