CVE-2020-12398

Summary

If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection. This vulnerability affects Thunderbird < 68.9.0.

Affected Software

VendorProductVersion RangeStatus
MozillaThunderbirdunspecified < 68.9.0affected

Weaknesses

  • Security downgrade with IMAP STARTTLS leads to information leakage

ADP Enrichment

CVE Program Container

Additional References

References