STARTTLS Buffering Issue in Evolution Data Server by GNOME
CVE-2020-14928

5.9MEDIUM

Key Information:

Vendor
Gnome
Status
Evolution-data-server
Vendor
CVE Published:
17 July 2020

Summary

The evolution-data-server prior to version 3.36.3 is susceptible to a STARTTLS buffering vulnerability that occurs during the handling of SMTP and POP3 protocols. When a server issues a 'begin TLS' response, the server improperly processes subsequent data as TLS data, leading to potential response injection risks. This flaw can allow attackers to exploit the vulnerability to manipulate communication, potentially intercepting sensitive information.

References

https://gitlab.gnome.org/GNOME/evolution-data-server/-/is...
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2020/07/msg0...
x_refsource_CONFIRM
https://gitlab.gnome.org/GNOME//evolution-data-server/com...
x_refsource_CONFIRM

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2020-14928 : STARTTLS Buffering Issue in Evolution Data Server by GNOME | SecurityVulnerability.io