First published: Mon Jul 27 2020(Updated: )
LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection."
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Libetpan Project Libetpan | <=1.9.4 | |
<=0.6.3 | ||
Fedoraproject Fedora | =31 | |
Fedoraproject Fedora | =32 | |
Debian Debian Linux | =9.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-15953 is a vulnerability in LibEtPan that affects IMAP, SMTP, and POP3 protocols due to a STARTTLS buffering issue.
CVE-2020-15953 has a severity rating of 7.4 (High).
CVE-2020-15953 affects LibEtPan versions up to and including 1.9.4, MailCore 2 versions up to and including 0.6.3, Fedora versions 31 and 32, and Debian Linux version 9.0.
CVE-2020-15953 allows a meddler-in-the-middle attacker to send additional data to the client, presenting a security risk for the IMAP, SMTP, and POP3 protocols.
Yes, it is recommended to update to a version of LibEtPan or MailCore 2 that is not affected by the vulnerability.