TLS Certificate Verification Flaw in GNOME Geary Affects Email Security
CVE-2020-24661

5.9MEDIUM

Key Information:

Vendor

Gnome
Status
Geary
Vendor
CVE Published:
26 August 2020

What is CVE-2020-24661?

The GNOME Geary email client prior to version 3.36.3 faces a critical vulnerability due to inadequate handling of pinned TLS certificate verification for IMAP and SMTP services. The issue arises when self-signed or invalid TLS certificates are employed, particularly in scenarios where the client system is not using a system-provided PKCS#11 store. This vulnerability enables a potential attacker to initiate a man-in-the-middle attack by presenting an alternative invalid certificate, which could lead to interception of both incoming and outgoing email communications. Organizations using affected versions of Geary need to evaluate their configuration to mitigate this risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://gitlab.gnome.org/GNOME/geary/-/issues/866
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.