{"api_version":"1","generated_at":"2026-04-22T23:31:10+00:00","cve":"CVE-2021-38502","urls":{"html":"https://cve.report/CVE-2021-38502","api":"https://cve.report/api/cve/CVE-2021-38502.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-38502","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-38502"},"summary":{"title":"CVE-2021-38502","description":"Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. This vulnerability affects Thunderbird < 91.2.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2021-11-03 01:15:00","updated_at":"2022-07-12 17:42:00"},"problem_types":["NVD-CWE-Other"],"metrics":[],"references":[{"url":"https://www.mozilla.org/security/advisories/mfsa2021-47/","name":"https://www.mozilla.org/security/advisories/mfsa2021-47/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Thunderbird 91.2 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2022/dsa-5034","name":"DSA-5034","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5034-1 thunderbird","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html","name":"[debian-lts-announce] 20220104 [SECURITY] [DLA 2874-1] thunderbird security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2874-1] thunderbird security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1733366","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1733366","refsource":"MISC","tags":[],"title":"Access Denied","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-38502","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-38502","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"38502","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"38502","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"38502","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"38502","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-38502","qid":"159429","title":"Oracle Enterprise Linux Security Update for thunderbird (ELSA-2021-3838)"},{"cve":"CVE-2021-38502","qid":"159430","title":"Oracle Enterprise Linux Security Update for thunderbird (ELSA-2021-3841)"},{"cve":"CVE-2021-38502","qid":"178983","title":"Debian Security Update for thunderbird (DSA 5034-1)"},{"cve":"CVE-2021-38502","qid":"178986","title":"Debian Security Update for thunderbird (DLA 2874-1)"},{"cve":"CVE-2021-38502","qid":"184343","title":"Debian Security Update for thunderbird (CVE-2021-38502)"},{"cve":"CVE-2021-38502","qid":"198641","title":"Ubuntu Security Notification for Thunderbird Vulnerabilities (USN-5248-1)"},{"cve":"CVE-2021-38502","qid":"239682","title":"Red Hat Update for thunderbird (RHSA-2021:3841)"},{"cve":"CVE-2021-38502","qid":"239683","title":"Red Hat Update for thunderbird (RHSA-2021:3840)"},{"cve":"CVE-2021-38502","qid":"239684","title":"Red Hat Update for thunderbird (RHSA-2021:3839)"},{"cve":"CVE-2021-38502","qid":"239685","title":"Red Hat Update for thunderbird (RHSA-2021:3838)"},{"cve":"CVE-2021-38502","qid":"257126","title":"CentOS Security Update for thunderbird (CESA-2021:3841)"},{"cve":"CVE-2021-38502","qid":"296066","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 40.107.3 Missing (CPUOCT2021)"},{"cve":"CVE-2021-38502","qid":"353982","title":"Amazon Linux Security Advisory for thunderbird : ALAS2-2022-1818"},{"cve":"CVE-2021-38502","qid":"375959","title":"Mozilla Thunderbird Multiple Vulnerabilities (MFSA2021-47)"},{"cve":"CVE-2021-38502","qid":"502381","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-38502","qid":"503632","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-38502","qid":"503634","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-38502","qid":"503650","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-38502","qid":"503669","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-38502","qid":"506260","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-38502","qid":"751542","title":"OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2021:4150-1)"},{"cve":"CVE-2021-38502","qid":"751566","title":"OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2021:1635-1)"},{"cve":"CVE-2021-38502","qid":"940268","title":"AlmaLinux Security Update for thunderbird (ALSA-2021:3838)"},{"cve":"CVE-2021-38502","qid":"960020","title":"Rocky Linux Security Update for thunderbird (RLSA-2021:3838)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-38502","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Thunderbird","version":{"version_data":[{"version_value":"91.2","version_affected":"<"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Downgrade attack on SMTP STARTTLS connections"}]}]},"references":{"reference_data":[{"url":"https://www.mozilla.org/security/advisories/mfsa2021-47/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-47/"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1733366","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1733366"},{"refsource":"DEBIAN","name":"DSA-5034","url":"https://www.debian.org/security/2022/dsa-5034"},{"refsource":"MLIST","name":"[debian-lts-announce] 20220104 [SECURITY] [DLA 2874-1] thunderbird security update","url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html"}]},"description":{"description_data":[{"lang":"eng","value":"Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. This vulnerability affects Thunderbird < 91.2."}]}},"nvd":{"publishedDate":"2021-11-03 01:15:00","lastModifiedDate":"2022-07-12 17:42:00","problem_types":["NVD-CWE-Other"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5.9,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.2,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"91.2","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"38502","Ordinal":"214164","Title":"CVE-2021-38502","CVE":"CVE-2021-38502","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"38502","Ordinal":"1","NoteData":"Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. This vulnerability affects Thunderbird < 91.2.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"38502","Ordinal":"2","NoteData":"2021-11-02","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"38502","Ordinal":"3","NoteData":"2022-01-04","Type":"Other","Title":"Modified"}]}}}