Improper TLS Certificate Verification in GNOME Evolution RSS
CVE-2021-39361

5.9MEDIUM

Key Information:

Vendor: Gnome
Status: Evolution-rss
Vendor: CVE Published:; 22 August 2021

Summary

The GNOME Evolution RSS application, specifically in versions up to 0.3.96, contains a flaw in its network-soup.c component, where the SoupSessionSync objects it generates do not activate TLS certificate verification. This oversight renders users susceptible to man-in-the-middle (MITM) attacks, where an attacker could intercept and potentially manipulate the data transmitted over the network. This vulnerability is similar to previous issues noted in related components, emphasizing the criticality of proper certificate validation in maintaining secure communications.

References

https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-so...

x_refsource_MISC

https://gitlab.gnome.org/GNOME/evolution-rss/-/issues/11

x_refsource_MISC

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 22, 2021
Vulnerability Reserved
Aug 22, 2021