CVE-2020-6794
6.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Exploitability: 2.8 / Impact: 3.6
Source: NVD
Description
If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Thunderbird 60. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Thunderbird < 68.5.
Affected (4)
Products: Mozilla: Thunderbird · Canonical: Ubuntu Linux
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Before 68.5.0 |
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| Version 16.04 |
Related CWEs
CWE-312
Cleartext Storage of Sensitive Information
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
CWE-459
Incomplete Cleanup
The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
CWE-522
Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
References (10)
Source: security@mozilla.org
ExploitIssue TrackingPatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitIssue TrackingPatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Timeline
No history available yet.