Candidate: CVE-2020-15646
PublicDate: 2020-10-08 14:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15646
 https://www.mozilla.org/en-US/security/advisories/mfsa2020-26/#CVE-2020-15646
Description:
 If an attacker intercepts Thunderbird's initial attempt to perform
 automatic account setup using the Microsoft Exchange autodiscovery
 mechanism, and the attacker sends a crafted response, then Thunderbird
 sends username and password over https to a server controlled by the
 attacker. This vulnerability affects Thunderbird < 68.10.0.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM]


Patches_thunderbird:
upstream_thunderbird: released (1:68.10.0-1)
precise/esm_thunderbird: DNE
trusty_thunderbird: ignored (out of standard support)
trusty/esm_thunderbird: DNE
xenial_thunderbird: released (1:68.10.0+build1-0ubuntu0.16.04.1)
esm-infra/xenial_thunderbird: released (1:68.10.0+build1-0ubuntu0.16.04.1)
bionic_thunderbird: released (1:68.10.0+build1-0ubuntu0.18.04.1)
focal_thunderbird: released (1:68.10.0+build1-0ubuntu0.20.04.1)
devel_thunderbird: released (1:68.10.0+build1-0ubuntu1)