CVE-2020-24661
First published: Wed Aug 26 2020(Updated: )
GNOME Geary before 3.36.3 mishandles pinned TLS certificate verification for IMAP and SMTP services using invalid TLS certificates (e.g., self-signed certificates) when the client system is not configured to use a system-provided PKCS#11 store. This allows a meddler in the middle to present a different invalid certificate to intercept incoming and outgoing mail.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GNOME Geary | <3.36.3 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://gitlab.gnome.org/GNOME/geary/-/issues/866
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7OTYTGND6EFOKNQJWCHKKXKSN7SM73Y/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS6CSTOBVO5HSAR3X5CT6DS6QDHXDB26/
- https://tools.cisco.com/security/center/content/CiscoSeg/message/NS6CSTOBVO5HSAR3X5CT6DS6QDHXDB26/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS6CSTOBVO5HSAR3X5CT6DS6QDHXDB26/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G7OTYTGND6EFOKNQJWCHKKXKSN7SM73Y/
Frequently Asked Questions
What is CVE-2020-24661?
CVE-2020-24661 is a vulnerability in GNOME Geary before version 3.36.3 that mishandles pinned TLS certificate verification for IMAP and SMTP services.
What is the severity of CVE-2020-24661?
The severity of CVE-2020-24661 is medium with a CVSS v3 base score of 5.9.
How does CVE-2020-24661 affect GNOME Geary?
CVE-2020-24661 affects GNOME Geary versions up to and excluding 3.36.3.
How does CVE-2020-24661 impact Fedora?
CVE-2020-24661 impacts Fedora versions 31 and 32.
Is there a fix for CVE-2020-24661?
Yes, the fix for CVE-2020-24661 is to update GNOME Geary to version 3.36.3.
- collector/nvd-index
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/tags
- agent/type
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/gnome
- canonical/gnome geary
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32