Vulnerabilites related to libetpan_project - libetpan
cve-2017-8825
Vulnerability from cvelistv5
Published
2017-05-08 16:00
Modified
2024-08-05 16:48
Severity ?
EPSS score ?
Summary
A null dereference vulnerability has been found in the MIME handling component of LibEtPan before 1.8, as used in MailCore and MailCore 2. A crash can occur in low-level/imf/mailimf.c during a failed parse of a Cc header containing multiple e-mail addresses.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/dinhviethoa/libetpan/issues/274 | x_refsource_CONFIRM | |
| https://github.com/dinhviethoa/libetpan/releases/tag/1.8 | x_refsource_CONFIRM | |
| https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T16:48:22.222Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/dinhviethoa/libetpan/issues/274", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/dinhviethoa/libetpan/releases/tag/1.8", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-05-08T00:00:00", descriptions: [ { lang: "en", value: "A null dereference vulnerability has been found in the MIME handling component of LibEtPan before 1.8, as used in MailCore and MailCore 2. A crash can occur in low-level/imf/mailimf.c during a failed parse of a Cc header containing multiple e-mail addresses.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-05-08T15:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/dinhviethoa/libetpan/issues/274", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/dinhviethoa/libetpan/releases/tag/1.8", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-8825", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A null dereference vulnerability has been found in the MIME handling component of LibEtPan before 1.8, as used in MailCore and MailCore 2. A crash can occur in low-level/imf/mailimf.c during a failed parse of a Cc header containing multiple e-mail addresses.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/dinhviethoa/libetpan/issues/274", refsource: "CONFIRM", url: "https://github.com/dinhviethoa/libetpan/issues/274", }, { name: "https://github.com/dinhviethoa/libetpan/releases/tag/1.8", refsource: "CONFIRM", url: "https://github.com/dinhviethoa/libetpan/releases/tag/1.8", }, { name: "https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d", refsource: "CONFIRM", url: "https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-8825", datePublished: "2017-05-08T16:00:00", dateReserved: "2017-05-07T00:00:00", dateUpdated: "2024-08-05T16:48:22.222Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-4121
Vulnerability from cvelistv5
Published
2023-01-17 00:00
Modified
2024-08-03 01:27
Severity ?
EPSS score ?
Summary
In libetpan a null pointer dereference in mailimap_mailbox_data_status_free in low-level/imap/mailimap_types.c was found that could lead to a remote denial of service or other potential consequences.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T01:27:54.460Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/dinhvh/libetpan/issues/420", }, { tags: [ "x_transferred", ], url: "https://github.com/dinhvh/libetpan/commit/5c9eb6b6ba64c4eb927d7a902317410181aacbba", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "libetpan", vendor: "n/a", versions: [ { status: "affected", version: "unknown", }, ], }, ], descriptions: [ { lang: "en", value: "In libetpan a null pointer dereference in mailimap_mailbox_data_status_free in low-level/imap/mailimap_types.c was found that could lead to a remote denial of service or other potential consequences.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-476", description: "CWE-476", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-17T00:00:00", orgId: "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", shortName: "fedora", }, references: [ { url: "https://github.com/dinhvh/libetpan/issues/420", }, { url: "https://github.com/dinhvh/libetpan/commit/5c9eb6b6ba64c4eb927d7a902317410181aacbba", }, ], }, }, cveMetadata: { assignerOrgId: "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", assignerShortName: "fedora", cveId: "CVE-2022-4121", datePublished: "2023-01-17T00:00:00", dateReserved: "2022-11-22T00:00:00", dateUpdated: "2024-08-03T01:27:54.460Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-15953
Vulnerability from cvelistv5
Published
2020-07-27 06:07
Modified
2024-08-04 13:30
Severity ?
EPSS score ?
Summary
LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection."
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/dinhvh/libetpan/issues/386 | x_refsource_MISC | |
| https://security.gentoo.org/glsa/202007-55 | vendor-advisory, x_refsource_GENTOO | |
| https://lists.debian.org/debian-lts-announce/2020/08/msg00026.html | mailing-list, x_refsource_MLIST | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QFBWNA5REI5ZGW2DAOEAVHM23MOU6O5J/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M65FVH5XPS23NLHFN3ABEGBSCHZAISXN/ | vendor-advisory, x_refsource_FEDORA | |
| http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00060.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00075.html | vendor-advisory, x_refsource_SUSE |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T13:30:23.456Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/dinhvh/libetpan/issues/386", }, { name: "GLSA-202007-55", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/202007-55", }, { name: "[debian-lts-announce] 20200816 [SECURITY] [DLA 2329-1] libetpan security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2020/08/msg00026.html", }, { name: "FEDORA-2020-13ae5f7221", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QFBWNA5REI5ZGW2DAOEAVHM23MOU6O5J/", }, { name: "FEDORA-2020-44e52ef729", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M65FVH5XPS23NLHFN3ABEGBSCHZAISXN/", }, { name: "openSUSE-SU-2020:1454", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00060.html", }, { name: "openSUSE-SU-2020:1505", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00075.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a \"begin TLS\" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka \"response injection.\"", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-09-22T21:06:20", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/dinhvh/libetpan/issues/386", }, { name: "GLSA-202007-55", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/202007-55", }, { name: "[debian-lts-announce] 20200816 [SECURITY] [DLA 2329-1] libetpan security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2020/08/msg00026.html", }, { name: "FEDORA-2020-13ae5f7221", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QFBWNA5REI5ZGW2DAOEAVHM23MOU6O5J/", }, { name: "FEDORA-2020-44e52ef729", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M65FVH5XPS23NLHFN3ABEGBSCHZAISXN/", }, { name: "openSUSE-SU-2020:1454", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00060.html", }, { name: "openSUSE-SU-2020:1505", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00075.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2020-15953", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a \"begin TLS\" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka \"response injection.\"", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/dinhvh/libetpan/issues/386", refsource: "MISC", url: "https://github.com/dinhvh/libetpan/issues/386", }, { name: "GLSA-202007-55", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/202007-55", }, { name: "[debian-lts-announce] 20200816 [SECURITY] [DLA 2329-1] libetpan security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2020/08/msg00026.html", }, { name: "FEDORA-2020-13ae5f7221", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QFBWNA5REI5ZGW2DAOEAVHM23MOU6O5J/", }, { name: "FEDORA-2020-44e52ef729", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M65FVH5XPS23NLHFN3ABEGBSCHZAISXN/", }, { name: "openSUSE-SU-2020:1454", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00060.html", }, { name: "openSUSE-SU-2020:1505", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00075.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2020-15953", datePublished: "2020-07-27T06:07:04", dateReserved: "2020-07-27T00:00:00", dateUpdated: "2024-08-04T13:30:23.456Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2023-01-17 18:15
Modified
2024-11-21 07:34
Severity ?
Summary
In libetpan a null pointer dereference in mailimap_mailbox_data_status_free in low-level/imap/mailimap_types.c was found that could lead to a remote denial of service or other potential consequences.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| patrick@puiterwijk.org | https://github.com/dinhvh/libetpan/commit/5c9eb6b6ba64c4eb927d7a902317410181aacbba | Patch, Third Party Advisory | |
| patrick@puiterwijk.org | https://github.com/dinhvh/libetpan/issues/420 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/dinhvh/libetpan/commit/5c9eb6b6ba64c4eb927d7a902317410181aacbba | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/dinhvh/libetpan/issues/420 | Exploit, Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| libetpan_project | libetpan | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:libetpan_project:libetpan:-:*:*:*:*:*:*:*", matchCriteriaId: "6A0D1B29-C9D4-41DF-BC27-693F54591519", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In libetpan a null pointer dereference in mailimap_mailbox_data_status_free in low-level/imap/mailimap_types.c was found that could lead to a remote denial of service or other potential consequences.", }, { lang: "es", value: "En libetpan se encontró una desreferencia de puntero nulo en mailimap_mailbox_data_status_free en low-level/imap/mailimap_types.c que podría provocar una denegación remota de servicio u otras posibles consecuencias.", }, ], id: "CVE-2022-4121", lastModified: "2024-11-21T07:34:37.097", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-01-17T18:15:11.583", references: [ { source: "patrick@puiterwijk.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/dinhvh/libetpan/commit/5c9eb6b6ba64c4eb927d7a902317410181aacbba", }, { source: "patrick@puiterwijk.org", tags: [ "Exploit", "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/dinhvh/libetpan/issues/420", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/dinhvh/libetpan/commit/5c9eb6b6ba64c4eb927d7a902317410181aacbba", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/dinhvh/libetpan/issues/420", }, ], sourceIdentifier: "patrick@puiterwijk.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-476", }, ], source: "patrick@puiterwijk.org", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-476", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-05-08 16:29
Modified
2024-11-21 03:34
Severity ?
Summary
A null dereference vulnerability has been found in the MIME handling component of LibEtPan before 1.8, as used in MailCore and MailCore 2. A crash can occur in low-level/imf/mailimf.c during a failed parse of a Cc header containing multiple e-mail addresses.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/dinhviethoa/libetpan/issues/274 | Third Party Advisory | |
| cve@mitre.org | https://github.com/dinhviethoa/libetpan/releases/tag/1.8 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/dinhviethoa/libetpan/issues/274 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/dinhviethoa/libetpan/releases/tag/1.8 | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| libetpan_project | libetpan | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:libetpan_project:libetpan:*:*:*:*:*:*:*:*", matchCriteriaId: "D7D0B05F-8691-4D8A-97C7-BF3246B5D749", versionEndIncluding: "1.7.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A null dereference vulnerability has been found in the MIME handling component of LibEtPan before 1.8, as used in MailCore and MailCore 2. A crash can occur in low-level/imf/mailimf.c during a failed parse of a Cc header containing multiple e-mail addresses.", }, { lang: "es", value: "Se ha encontrado una vulnerabilidad de desreferencia nula en el componente MIME de LibEtPan en versiones anteriores a la 1.8, como las utilizadas en MailCore y MailCore 2. Puede ocurrir un fallo en low-level/imf/mailimf.c durante una análisis fallido de una cabecera Cc que contiene múltiples direcciones de correo electrónico.", }, ], id: "CVE-2017-8825", lastModified: "2024-11-21T03:34:46.720", metrics: { cvssMetricV2: [ { acInsufInfo: true, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-05-08T16:29:00.177", references: [ { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://github.com/dinhviethoa/libetpan/issues/274", }, { source: "cve@mitre.org", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/dinhviethoa/libetpan/releases/tag/1.8", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/dinhviethoa/libetpan/issues/274", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/dinhviethoa/libetpan/releases/tag/1.8", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-476", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-07-27 07:15
Modified
2024-11-21 05:06
Severity ?
Summary
LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection."
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| libetpan_project | libetpan | * | |
| libmailcore | mailcore2 | * | |
| fedoraproject | fedora | 31 | |
| fedoraproject | fedora | 32 | |
| debian | debian_linux | 9.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:libetpan_project:libetpan:*:*:*:*:*:*:*:*", matchCriteriaId: "265D13E3-68BC-4CD7-B04E-A9713F74895F", versionEndIncluding: "1.9.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:libmailcore:mailcore2:*:*:*:*:*:*:*:*", matchCriteriaId: "3BC108A8-B707-46A8-BD74-19DB4DDD7E56", versionEndIncluding: "0.6.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", matchCriteriaId: "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", matchCriteriaId: "36D96259-24BD-44E2-96D9-78CE1D41F956", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a \"begin TLS\" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka \"response injection.\"", }, { lang: "es", value: "LibEtPan versiones hasta 1.9.4, como es usado en MailCore 2 versiones hasta 0.6.3 y otros productos, presenta un problema de almacenamiento en búfer STARTTLS que afecta a IMAP, SMTP y POP3. Cuando un servidor envía una respuesta \"begin TLS\", el cliente lee datos adicionales (por ejemplo, de un atacante de tipo meddler-in-the-middle) y los evalúa en un contexto TLS, también se conoce como \"response injection\"", }, ], id: "CVE-2020-15953", lastModified: "2024-11-21T05:06:31.700", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-07-27T07:15:10.910", references: [ { source: "cve@mitre.org", tags: [ "Broken Link", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00060.html", }, { source: "cve@mitre.org", tags: [ "Broken Link", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00075.html", }, { source: "cve@mitre.org", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://github.com/dinhvh/libetpan/issues/386", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2020/08/msg00026.html", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M65FVH5XPS23NLHFN3ABEGBSCHZAISXN/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QFBWNA5REI5ZGW2DAOEAVHM23MOU6O5J/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202007-55", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00060.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", ], url: "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00075.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://github.com/dinhvh/libetpan/issues/386", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2020/08/msg00026.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M65FVH5XPS23NLHFN3ABEGBSCHZAISXN/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QFBWNA5REI5ZGW2DAOEAVHM23MOU6O5J/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202007-55", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-74", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }