98 matches found
AZL-7227 CVE-2021-39272 affecting package fetchmail for versions less than 6.4.22-1
Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH...
Libguestfs Nbdkit 安全漏洞
Libguestfs Nbdkit is an application from the Libguestfs community for creating NBD Protocol for Accessing Network Block Devices servers. Libguestfs Nbdkit suffers from a security vulnerability that can be exploited by an attacker to trigger a denial of service by causing a fatal error via Nbdkit'...
DEBIAN-CVE-2021-38370
In Alpine before 2.25, untagged responses from an IMAP server are accepted before STARTTLS...
UBUNTU-CVE-2021-38372
In KDE Trojita 0.7, man-in-the-middle attackers can create new folders because untagged responses from an IMAP server are accepted before STARTTLS...
Exim 注入漏洞
Exim is an open source messaging agent MTA running on Unix systems that routes, forwards and delivers mail. A security vulnerability in the STARTTLS feature in Exim up to 4.94.2 allows an attacker to perform response injection buffering during MTA SMTP delivery...
Alpine 命令注入漏洞
Alpine is an email program. A command injection vulnerability exists in Alpine 2.24 that arises from the affected product accepting an untagged response from an IMAP server before STARTTLS...
KDE Trojita 命令注入漏洞
KDE Trojita is a lightweight IMAP email client for the KDE community. A security vulnerability exists in KDE Trojita 0.7 that stems from the affected product accepting an untagged response from an IMAP server before STARTTLS...
OESA-2021-1306 ruby security update
Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks such as Perl. Security Fixes: In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible t...
DEBIAN-CVE-2021-32066
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between th...
CVE-2021-32066
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between th...
imap - StartTLS stripping attack
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between th...
Mozilla: IMAP server responses sent by a MITM prior to STARTTLS could be processed
If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected data. This could have resulted in Thunderbird showing incorrect information, for...
UBUNTU-CVE-2021-33900
While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism DIGEST-MD5, GSSAPI was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not applied. This issue...
Mozilla Thunderbird 命令注入漏洞
Mozilla Thunderbird is an open source email client. A command injection vulnerability exists in the Mozilla Thunderbird product, which stems from a problem in the way Thunderbird handles IMAP server responses sent prior to the STARTTLS process. An attacker could exploit this vulnerability to send...
AZL-7196 CVE-2021-33515 affecting package dovecot for versions less than 2.3.20-1
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address...
Email Bug Allows Message Snooping, Credential Theft
Researchers warn hackers can snoop on email messages by exploiting a bug in the underlying technology used by the majority of email servers that run the Internet Message Access Protocol, commonly referred to as IMAP. The bug, first reported in August 2020 and patched Monday, is tied to the email...
UBUNTU-CVE-2021-33515
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address...
PT-2021-3385 · Dovecot +9 · Dovecot +9
Name of the Vulnerable Software and Affected Versions: Dovecot versions prior to 2.3.15 Description: The issue is related to the submission service in Dovecot, which allows STARTTLS command injection in lib-smtp. This can lead to sensitive information being redirected to an attacker-controlled...
The vulnerability of Thunderbird’s email client stems from insufficient validation of input data during the IMAP connection setup using STARTTLS. This allows attackers to compromise the confidentiality and integrity of the protected information.
The vulnerability of the Thunderbird email client is related to insufficient validation of input data during the IMAP connection setup using STARTTLS. Exploiting this vulnerability allows a malicious actor to compromise the confidentiality and integrity of the protected information...
Mozilla: IMAP Response Injection when using STARTTLS
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes that during the plaintext phase of the STARTTLS connection setup, protocol commands could have been injected and evaluated within the encrypted session...