https://www.mozilla.org/security/advisories/mfsa2021-30/

https://bugzilla.mozilla.org/show_bug.cgi?id=1682370

The version of thunderbird installed on the remote host is prior to 78.13.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1709 advisory.

  - If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server     responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected     data. This could have resulted in Thunderbird showing incorrect information, for example the attacker     could have tricked Thunderbird to show folders that didn't exist on the IMAP server. This vulnerability     affects Thunderbird < 78.12. (CVE-2021-29969)

  - A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially     exploitable crash. *This bug could only be triggered when accessibility was enabled.*. This vulnerability     affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90. (CVE-2021-29970)

  - Mozilla developers reported memory safety bugs present in code shared between Firefox and Thunderbird.
    Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of     these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.12,     Firefox ESR < 78.12, and Firefox < 90. (CVE-2021-29976)

  - Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption     and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91,     Firefox ESR < 78.13, and Firefox < 91. (CVE-2021-29980)

  - Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly     considered during garbage collection. This led to memory corruption and a potentially exploitable crash.
    This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
    (CVE-2021-29984)

  - A use-after-free vulnerability in media channels could have led to memory corruption and a potentially     exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13,     and Firefox < 91. (CVE-2021-29985)

  - A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable     crash. *Note: This issue only affected Linux operating systems. Other operating systems are unaffected.*     This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
    (CVE-2021-29986)

  - Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds     read or memory corruption, and a potentially exploitable crash. This vulnerability affects Thunderbird <     78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91. (CVE-2021-29988)

  - Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these     bugs showed evidence of memory corruption and we presume that with enough effort some of these could have     been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.13, Firefox ESR < 78.13,     and Firefox < 91. (CVE-2021-29989)

  - Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to     potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-30547)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 21.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5058-1 advisory.

  - If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server     responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected     data. This could have resulted in Thunderbird showing incorrect information, for example the attacker     could have tricked Thunderbird to show folders that didn't exist on the IMAP server. This vulnerability     affects Thunderbird < 78.12. (CVE-2021-29969)

  - A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially     exploitable crash. *This bug could only be triggered when accessibility was enabled.*. This vulnerability     affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90. (CVE-2021-29970)

  - Mozilla developers reported memory safety bugs present in code shared between Firefox and Thunderbird.
    Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of     these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.12,     Firefox ESR < 78.12, and Firefox < 90. (CVE-2021-29976)

  - Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption     and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91,     Firefox ESR < 78.13, and Firefox < 91. (CVE-2021-29980)

  - Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly     considered during garbage collection. This led to memory corruption and a potentially exploitable crash.
    This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
    (CVE-2021-29984)

  - A use-after-free vulnerability in media channels could have led to memory corruption and a potentially     exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13,     and Firefox < 91. (CVE-2021-29985)

  - A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable     crash. *Note: This issue only affected Linux operating systems. Other operating systems are unaffected.*     This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
    (CVE-2021-29986)

  - Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds     read or memory corruption, and a potentially exploitable crash. This vulnerability affects Thunderbird <     78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91. (CVE-2021-29988)

  - Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these     bugs showed evidence of memory corruption and we presume that with enough effort some of these could have     been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.13, Firefox ESR < 78.13,     and Firefox < 91. (CVE-2021-29989)

  - Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to     potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-30547)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1091-1 advisory.

  - If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server     responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected     data. This could have resulted in Thunderbird showing incorrect information, for example the attacker     could have tricked Thunderbird to show folders that didn't exist on the IMAP server.  (CVE-2021-29969)

  - A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially     exploitable crash. This bug only affected Firefox when accessibility was enabled.  (CVE-2021-29970)

  - Mozilla developers Emil Ghitta, Tyson Smith, Valentin Gosu, Olli Pettay, and Randell Jesup reported memory     safety bugs present in Firefox 89 and Firefox ESR 78.11. Some of these bugs showed evidence of memory     corruption and we presume that with enough effort some of these could have been exploited to run arbitrary     code.  (CVE-2021-29976)

  - Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to     potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-30547)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2021:2883 advisory.

  - Mozilla: IMAP server responses sent by a MITM prior to STARTTLS could be processed (CVE-2021-29969)

  - Mozilla: Use-after-free in accessibility features of a document (CVE-2021-29970)

  - Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 (CVE-2021-29976)

  - chromium-browser: Out of bounds write in ANGLE (CVE-2021-30547)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:2914 advisory.

  - Mozilla: IMAP server responses sent by a MITM prior to STARTTLS could be processed (CVE-2021-29969)

  - Mozilla: Use-after-free in accessibility features of a document (CVE-2021-29970)

  - Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 (CVE-2021-29976)

  - chromium-browser: Out of bounds write in ANGLE (CVE-2021-30547)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2021-2881 advisory.

  - A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially     exploitable crash. This bug only affected Firefox when accessibility was enabled.  (CVE-2021-29970)

  - Mozilla developers Emil Ghitta, Tyson Smith, Valentin Gosu, Olli Pettay, and Randell Jesup reported memory     safety bugs present in Firefox 89 and Firefox ESR 78.11. Some of these bugs showed evidence of memory     corruption and we presume that with enough effort some of these could have been exploited to run arbitrary     code.  (CVE-2021-29976)

  - Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to     potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-30547)

  - If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server     responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected     data. This could have resulted in Thunderbird showing incorrect information, for example the attacker     could have tricked Thunderbird to show folders that didn't exist on the IMAP server.  (CVE-2021-29969)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2021-2883 advisory.

  - A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially     exploitable crash. This bug only affected Firefox when accessibility was enabled.  (CVE-2021-29970)

  - Mozilla developers Emil Ghitta, Tyson Smith, Valentin Gosu, Olli Pettay, and Randell Jesup reported memory     safety bugs present in Firefox 89 and Firefox ESR 78.11. Some of these bugs showed evidence of memory     corruption and we presume that with enough effort some of these could have been exploited to run arbitrary     code.  (CVE-2021-29976)

  - Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to     potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-30547)

  - If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server     responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected     data. This could have resulted in Thunderbird showing incorrect information, for example the attacker     could have tricked Thunderbird to show folders that didn't exist on the IMAP server.  (CVE-2021-29969)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Scientific Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the SLSA-2021:2881-1 advisory.

  - Mozilla: IMAP server responses sent by a MITM prior to STARTTLS could be processed (CVE-2021-29969)

  - Mozilla: Use-after-free in accessibility features of a document (CVE-2021-29970)

  - Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 (CVE-2021-29976)

  - chromium-browser: Out of bounds write in ANGLE (CVE-2021-30547)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:2882 advisory.

  - Mozilla: IMAP server responses sent by a MITM prior to STARTTLS could be processed (CVE-2021-29969)

  - Mozilla: Use-after-free in accessibility features of a document (CVE-2021-29970)

  - Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 (CVE-2021-29976)

  - chromium-browser: Out of bounds write in ANGLE (CVE-2021-30547)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:2883 advisory.

  - Mozilla: IMAP server responses sent by a MITM prior to STARTTLS could be processed (CVE-2021-29969)

  - Mozilla: Use-after-free in accessibility features of a document (CVE-2021-29970)

  - Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 (CVE-2021-29976)

  - chromium-browser: Out of bounds write in ANGLE (CVE-2021-30547)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:2881 advisory.

  - Mozilla: IMAP server responses sent by a MITM prior to STARTTLS could be processed (CVE-2021-29969)

  - Mozilla: Use-after-free in accessibility features of a document (CVE-2021-29970)

  - Mozilla: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12 (CVE-2021-29976)

  - chromium-browser: Out of bounds write in ANGLE (CVE-2021-30547)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2458-1 advisory.

  - If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server     responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected     data. This could have resulted in Thunderbird showing incorrect information, for example the attacker     could have tricked Thunderbird to show folders that didn't exist on the IMAP server.  (CVE-2021-29969)

  - A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially     exploitable crash. This bug only affected Firefox when accessibility was enabled.  (CVE-2021-29970)

  - Mozilla developers Emil Ghitta, Tyson Smith, Valentin Gosu, Olli Pettay, and Randell Jesup reported memory     safety bugs present in Firefox 89 and Firefox ESR 78.11. Some of these bugs showed evidence of memory     corruption and we presume that with enough effort some of these could have been exploited to run arbitrary     code.  (CVE-2021-29976)

  - Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to     potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-30547)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:2458-1 advisory.

  - If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server     responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected     data. This could have resulted in Thunderbird showing incorrect information, for example the attacker     could have tricked Thunderbird to show folders that didn't exist on the IMAP server.  (CVE-2021-29969)

  - A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially     exploitable crash. This bug only affected Firefox when accessibility was enabled.  (CVE-2021-29970)

  - Mozilla developers Emil Ghitta, Tyson Smith, Valentin Gosu, Olli Pettay, and Randell Jesup reported memory     safety bugs present in Firefox 89 and Firefox ESR 78.11. Some of these bugs showed evidence of memory     corruption and we presume that with enough effort some of these could have been exploited to run arbitrary     code.  (CVE-2021-29976)

  - Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to     potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-30547)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2711 advisory.

  - Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to     potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-30547)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4940 advisory.

  - Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to     potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-30547)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Thunderbird installed on the remote Windows host is prior to 78.12. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2021-30 advisory.

  - If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server     responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected     data. This could have resulted in Thunderbird showing incorrect information, for example the attacker     could have tricked Thunderbird to show folders that didn't exist on the IMAP server. (CVE-2021-29969)

  - A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially     exploitable crash. This bug only affected Thunderbird when accessibility was enabled. (CVE-2021-29970)

  - An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially     exploitable crash. (CVE-2021-30547)

  - Mozilla developers Valentin Gosu, Randell Jesup, Emil Ghitta, Tyson Smith, and Olli Pettay reported memory     safety bugs present in Thunderbird 78.11. Some of these bugs showed evidence of memory corruption and we     presume that with enough effort some of these could have been exploited to run arbitrary code.
    (CVE-2021-29976)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 78.12. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2021-30 advisory.

  - If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server     responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected     data. This could have resulted in Thunderbird showing incorrect information, for example the attacker     could have tricked Thunderbird to show folders that didn't exist on the IMAP server. (CVE-2021-29969)

  - A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially     exploitable crash. This bug only affected Thunderbird when accessibility was enabled. (CVE-2021-29970)

  - An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially     exploitable crash. (CVE-2021-30547)

  - Mozilla developers Valentin Gosu, Randell Jesup, Emil Ghitta, Tyson Smith, and Olli Pettay reported memory     safety bugs present in Thunderbird 78.11. Some of these bugs showed evidence of memory corruption and we     presume that with enough effort some of these could have been exploited to run arbitrary code.
    (CVE-2021-29976)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
153417	Amazon Linux 2 : thunderbird (ALAS-2021-1709)	Nessus	Amazon Linux Local Security Checks	high
152953	Ubuntu 18.04 LTS / 20.04 LTS / 21.04 : Thunderbird vulnerabilities (USN-5058-1)	Nessus	Ubuntu Local Security Checks	high
152219	openSUSE 15 Security Update : MozillaThunderbird (openSUSE-SU-2021:1091-1)	Nessus	SuSE Local Security Checks	high
152168	CentOS 8 : thunderbird (CESA-2021:2883)	Nessus	CentOS Local Security Checks	high
152097	RHEL 8 : thunderbird (RHSA-2021:2914)	Nessus	Red Hat Local Security Checks	high
152095	Oracle Linux 7 : thunderbird (ELSA-2021-2881)	Nessus	Oracle Linux Local Security Checks	high
152093	Oracle Linux 8 : thunderbird (ELSA-2021-2883)	Nessus	Oracle Linux Local Security Checks	high
152086	Scientific Linux Security Update : thunderbird on SL7.x x86_64 (2021:2881)	Nessus	Scientific Linux Local Security Checks	high
152077	RHEL 8 : thunderbird (RHSA-2021:2882)	Nessus	Red Hat Local Security Checks	high
152076	RHEL 8 : thunderbird (RHSA-2021:2883)	Nessus	Red Hat Local Security Checks	high
152074	RHEL 7 : thunderbird (RHSA-2021:2881)	Nessus	Red Hat Local Security Checks	high
152023	SUSE SLED15 / SLES15 Security Update : MozillaThunderbird (SUSE-SU-2021:2458-1)	Nessus	SuSE Local Security Checks	high
152010	openSUSE 15 Security Update : MozillaThunderbird (openSUSE-SU-2021:2458-1)	Nessus	SuSE Local Security Checks	high
151812	Debian DLA-2711-1 : thunderbird - LTS security update	Nessus	Debian Local Security Checks	high
151807	Debian DSA-4940-1 : thunderbird - security update	Nessus	Debian Local Security Checks	high
151613	Mozilla Thunderbird < 78.12	Nessus	Windows	high
151612	Mozilla Thunderbird < 78.12	Nessus	MacOS X Local Security Checks	high

CVE-2021-29969

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high