CVE-2014-2014

Severity

43%

Complexity

86%

Confidentiality

48%

imapsync before 1.584, when running with the --tls option, attempts a cleartext login when a certificate verification failure occurs, which allows remote attackers to obtain credentials by sniffing the network.

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N).

Overview

Type

Gilles Lamiral imapsync

First reported 10 years ago

2014-04-18 22:14:00

Last updated 10 years ago

2014-04-21 16:19:00

Affected Software

Gilles Lamiral imapsync 1.53

1.53

Gilles Lamiral imapsync 1.500

1.500

Gilles Lamiral imapsync 1.504

1.504

Gilles Lamiral imapsync 1.508

1.508

Gilles Lamiral imapsync 1.516

1.516

Gilles Lamiral imapsync 1.518

1.518

Gilles Lamiral imapsync 1.525

1.525

Gilles Lamiral imapsync 1.542

1.542

Gilles Lamiral imapsync 1.547

1.547

Gilles Lamiral imapsync 1.554

1.554

Gilles Lamiral imapsync 1.558

1.558

Gilles Lamiral imapsync 1.564

1.564

Gilles Lamiral imapsync 1.567

1.567

Gilles Lamiral imapsync 1.569

1.569

References

[oss-security] 20140217 CVE request: "imapsync ignores the --tls switch and sends my authentication plaintext."

[oss-security] 20140218 Re: CVE request: "imapsync ignores the --tls switch and sends my authentication plaintext."

Patch

[imapsync_list] 20140120 Re: [imapsync] STARTTLS support (#15)

[imapsync_list] 20140122 Re: [imapsync] Upon certificate issues STARTTLS is ignored and the password sent in plaintext (#15)

MDVSA-2014:060

https://bugs.mageia.org/show_bug.cgi?id=12770

https://github.com/imapsync/imapsync/issues/15

FEDORA-2014-2505

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.