{"api_version":"1","generated_at":"2026-04-23T02:25:17+00:00","cve":"CVE-2021-29956","urls":{"html":"https://cve.report/CVE-2021-29956","api":"https://cve.report/api/cve/CVE-2021-29956.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-29956","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-29956"},"summary":{"title":"CVE-2021-29956","description":"OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions. This vulnerability affects Thunderbird < 78.10.2.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2021-06-24 14:15:00","updated_at":"2021-06-30 20:00:00"},"problem_types":["CWE-312"],"metrics":[],"references":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1710290","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1710290","refsource":"MISC","tags":[],"title":"1710290 - (CVE-2021-29956) For OpenPGP secret keys imported with Thunderbird versions 78.8.1 - 78.10.1 the master password isn't effective","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-22/","name":"https://www.mozilla.org/security/advisories/mfsa2021-22/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Thunderbird 78.10.2 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-29956","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29956","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"29956","vulnerable":"1","versionEndIncluding":"78.10.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-29956","qid":"159247","title":"Oracle Enterprise Linux Security Update for thunderbird (ELSA-2021-2263)"},{"cve":"CVE-2021-29956","qid":"159248","title":"Oracle Enterprise Linux Security Update for thunderbird (ELSA-2021-2264)"},{"cve":"CVE-2021-29956","qid":"178653","title":"Debian Security Update for thunderbird (DSA 4927-1)"},{"cve":"CVE-2021-29956","qid":"178662","title":"Debian Security Update for thunderbird (DLA 2679-1)"},{"cve":"CVE-2021-29956","qid":"179709","title":"Debian Security Update for thunderbird (CVE-2021-29956)"},{"cve":"CVE-2021-29956","qid":"198415","title":"Ubuntu Security Notification for Thunderbird vulnerabilities (USN-4995-1)"},{"cve":"CVE-2021-29956","qid":"198424","title":"Ubuntu Security Notification for Thunderbird vulnerabilities (USN-4995-2)"},{"cve":"CVE-2021-29956","qid":"239360","title":"Red Hat Update for thunderbird (RHSA-2021:2264)"},{"cve":"CVE-2021-29956","qid":"239361","title":"Red Hat Update for thunderbird (RHSA-2021:2262)"},{"cve":"CVE-2021-29956","qid":"239416","title":"Red Hat Update for thunderbird (RHSA-2021:2263)"},{"cve":"CVE-2021-29956","qid":"239417","title":"Red Hat Update for thunderbird (RHSA-2021:2261)"},{"cve":"CVE-2021-29956","qid":"296053","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 35.94.4 Missing (CPUJUL2021)"},{"cve":"CVE-2021-29956","qid":"352456","title":"Amazon Linux Security Advisory for thunderbird: ALAS2-2021-1681"},{"cve":"CVE-2021-29956","qid":"375578","title":"Mozilla Thunderbird Security Vulnerability (MFSA2021-22)"},{"cve":"CVE-2021-29956","qid":"502381","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-29956","qid":"503632","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-29956","qid":"503634","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-29956","qid":"503650","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-29956","qid":"503669","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-29956","qid":"506260","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-29956","qid":"750810","title":"OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2021:1854-1)"},{"cve":"CVE-2021-29956","qid":"940023","title":"AlmaLinux Security Update for thunderbird (ALSA-2021:2264)"},{"cve":"CVE-2021-29956","qid":"960045","title":"Rocky Linux Security Update for thunderbird (RLSA-2021:2264)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-29956","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Thunderbird","version":{"version_data":[{"version_value":"78.10.2","version_affected":"<"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Thunderbird stored OpenPGP secret keys without master password protection"}]}]},"references":{"reference_data":[{"url":"https://www.mozilla.org/security/advisories/mfsa2021-22/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-22/"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1710290","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1710290"}]},"description":{"description_data":[{"lang":"eng","value":"OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions. This vulnerability affects Thunderbird < 78.10.2."}]}},"nvd":{"publishedDate":"2021-06-24 14:15:00","lastModifiedDate":"2021-06-30 20:00:00","problem_types":["CWE-312"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionStartIncluding":"78.8.1","versionEndIncluding":"78.10.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"29956","Ordinal":"205187","Title":"CVE-2021-29956","CVE":"CVE-2021-29956","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"29956","Ordinal":"1","NoteData":"OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions. This vulnerability affects Thunderbird < 78.10.2.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"29956","Ordinal":"2","NoteData":"2021-06-24","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"29956","Ordinal":"3","NoteData":"2021-06-24","Type":"Other","Title":"Modified"}]}}}