CVE-2021-38502

5.9 MEDIUM

Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection

Published: 2021-11-03 · Last updated: 2026-06-17

Severity and scoring

CVSS: 5.9 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Vendor	Product
debian	debian_linux, thunderbird
mozilla	debian_linux, thunderbird

Description

Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. This vulnerability affects Thunderbird < 91.2.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-38502
[Vendor advisory]https://bugzilla.mozilla.org/show_bug.cgi?id=1733366
[Other]https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html
[Other]https://www.debian.org/security/2022/dsa-5034
[Vendor advisory]https://www.mozilla.org/security/advisories/mfsa2021-47/
[Vendor advisory]https://bugzilla.mozilla.org/show_bug.cgi?id=1733366
[Other]https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html
[Other]https://www.debian.org/security/2022/dsa-5034
[Vendor advisory]https://www.mozilla.org/security/advisories/mfsa2021-47/

Related CVEs

Same vendor

CVE-2026-12330 — Incorrect boundary conditions in the Internationalization component (5.4 MEDIUM)
CVE-2026-12329 — Memory safety bug fixed in Thunderbird ESR 140.12 (5.3 MEDIUM)
CVE-2026-12328 — Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151 (8.1 HIGH)
CVE-2026-12323 — Spoofing issue in the DOM: Core & HTML component (5.4 MEDIUM)
CVE-2026-12322 — Clickjacking issue in the Widget: Gtk component (5.4 MEDIUM)