USN-5248-1
- Source
- https://ubuntu.com/security/notices/USN-5248-1
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5248-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/USN-5248-1
- Upstream
- Related
- Published
- 2022-01-21T17:00:48.871389Z
- Modified
- 2025-09-08T16:37:13Z
- Summary
- thunderbird vulnerabilities
- Details
-
Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, trick a user into accepting unwanted permissions, conduct header splitting attacks, conduct spoofing attacks, bypass security restrictions, confuse the user, or execute arbitrary code. (CVE-2021-4129, CVE-2021-4140, CVE-2021-29981, CVE-2021-29982, CVE-2021-29987, CVE-2021-29991, CVE-2021-38495, CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-38500, CVE-2021-38501, CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, CVE-2021-38508, CVE-2021-38509, CVE-2021-43534, CVE-2021-43535, CVE-2021-43536, CVE-2021-43537, CVE-2021-43538, CVE-2021-43539, CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, CVE-2021-43545, CVE-2021-43656, CVE-2022-22737, CVE-2022-22738, CVE-2022-22739, CVE-2022-22740, CVE-2022-22741, CVE-2022-22742, CVE-2022-22743, CVE-2022-22745, CVE-2022-22747, CVE-2022-22748, CVE-2022-22751)
It was discovered that Thunderbird ignored the configuration to require STARTTLS for an SMTP connection. A person-in-the-middle could potentially exploit this to perform a downgrade attack in order to intercept messages or take control of a session. (CVE-2021-38502)
It was discovered that JavaScript was unexpectedly enabled in the composition area. An attacker could potentially exploit this in combination with another vulnerability, with unspecified impacts. (CVE-2021-43528)
A buffer overflow was discovered in the Matrix chat library bundled with Thunderbird. An attacker could potentially exploit this to cause a denial of service, or execute arbitrary code. (CVE-2021-44538)
It was discovered that Thunderbird's OpenPGP integration only considered the inner signed message when checking signature validity in a message that contains an additional outer MIME layer. An attacker could potentially exploit this to trick the user into thinking that a message has a valid signature. (CVE-2021-4126)
- References
-
- https://ubuntu.com/security/notices/USN-5248-1
- https://ubuntu.com/security/CVE-2021-4126
- https://ubuntu.com/security/CVE-2021-4129
- https://ubuntu.com/security/CVE-2021-4140
- https://ubuntu.com/security/CVE-2021-29981
- https://ubuntu.com/security/CVE-2021-29982
- https://ubuntu.com/security/CVE-2021-29987
- https://ubuntu.com/security/CVE-2021-29991
- https://ubuntu.com/security/CVE-2021-38495
- https://ubuntu.com/security/CVE-2021-38496
- https://ubuntu.com/security/CVE-2021-38497
- https://ubuntu.com/security/CVE-2021-38498
- https://ubuntu.com/security/CVE-2021-38500
- https://ubuntu.com/security/CVE-2021-38501
- https://ubuntu.com/security/CVE-2021-38502
- https://ubuntu.com/security/CVE-2021-38503
- https://ubuntu.com/security/CVE-2021-38504
- https://ubuntu.com/security/CVE-2021-38506
- https://ubuntu.com/security/CVE-2021-38507
- https://ubuntu.com/security/CVE-2021-38508
- https://ubuntu.com/security/CVE-2021-38509
- https://ubuntu.com/security/CVE-2021-43528
- https://ubuntu.com/security/CVE-2021-43534
- https://ubuntu.com/security/CVE-2021-43535
- https://ubuntu.com/security/CVE-2021-43536
- https://ubuntu.com/security/CVE-2021-43537
- https://ubuntu.com/security/CVE-2021-43538
- https://ubuntu.com/security/CVE-2021-43539
- https://ubuntu.com/security/CVE-2021-43541
- https://ubuntu.com/security/CVE-2021-43542
- https://ubuntu.com/security/CVE-2021-43543
- https://ubuntu.com/security/CVE-2021-43545
- https://ubuntu.com/security/CVE-2021-43546
- https://ubuntu.com/security/CVE-2021-44538
- https://ubuntu.com/security/CVE-2022-22737
- https://ubuntu.com/security/CVE-2022-22738
- https://ubuntu.com/security/CVE-2022-22739
- https://ubuntu.com/security/CVE-2022-22740
- https://ubuntu.com/security/CVE-2022-22741
- https://ubuntu.com/security/CVE-2022-22742
- https://ubuntu.com/security/CVE-2022-22743
- https://ubuntu.com/security/CVE-2022-22745
- https://ubuntu.com/security/CVE-2022-22747
- https://ubuntu.com/security/CVE-2022-22748
- https://ubuntu.com/security/CVE-2022-22751
Affected packages
Ubuntu:18.04:LTS / thunderbird
Package
- Name
- thunderbird
- Purl
- pkg:deb/ubuntu/thunderbird@1:91.5.0+build1-0ubuntu0.18.04.1?arch=source&distro=bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1:91.5.0+build1-0ubuntu0.18.04.1
Affected versions
1:52.*
1:60.*
1:68.*
1:78.*
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "thunderbird",
"binary_version": "1:91.5.0+build1-0ubuntu0.18.04.1"
},
{
"binary_name": "thunderbird-dev",
"binary_version": "1:91.5.0+build1-0ubuntu0.18.04.1"
},
{
"binary_name": "thunderbird-gnome-support",
"binary_version": "1:91.5.0+build1-0ubuntu0.18.04.1"
},
{
"binary_name": "thunderbird-mozsymbols",
"binary_version": "1:91.5.0+build1-0ubuntu0.18.04.1"
},
{
"binary_name": "xul-ext-calendar-timezones",
"binary_version": "1:91.5.0+build1-0ubuntu0.18.04.1"
},
{
"binary_name": "xul-ext-gdata-provider",
"binary_version": "1:91.5.0+build1-0ubuntu0.18.04.1"
},
{
"binary_name": "xul-ext-lightning",
"binary_version": "1:91.5.0+build1-0ubuntu0.18.04.1"
}
]
}
Ubuntu:20.04:LTS / thunderbird
Package
- Name
- thunderbird
- Purl
- pkg:deb/ubuntu/thunderbird@1:91.5.0+build1-0ubuntu0.20.04.1?arch=source&distro=focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1:91.5.0+build1-0ubuntu0.20.04.1
Affected versions
1:68.*
1:78.*
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "thunderbird",
"binary_version": "1:91.5.0+build1-0ubuntu0.20.04.1"
},
{
"binary_name": "thunderbird-dev",
"binary_version": "1:91.5.0+build1-0ubuntu0.20.04.1"
},
{
"binary_name": "thunderbird-gnome-support",
"binary_version": "1:91.5.0+build1-0ubuntu0.20.04.1"
},
{
"binary_name": "thunderbird-mozsymbols",
"binary_version": "1:91.5.0+build1-0ubuntu0.20.04.1"
},
{
"binary_name": "xul-ext-calendar-timezones",
"binary_version": "1:91.5.0+build1-0ubuntu0.20.04.1"
},
{
"binary_name": "xul-ext-gdata-provider",
"binary_version": "1:91.5.0+build1-0ubuntu0.20.04.1"
},
{
"binary_name": "xul-ext-lightning",
"binary_version": "1:91.5.0+build1-0ubuntu0.20.04.1"
}
]
}