CVE-2020-14928 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Severity

59%

Complexity

22%

Confidentiality

60%

evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that affects SMTP and POP3. When a server sends a "begin TLS" response, eds reads additional data and evaluates it in a TLS context, aka "response injection."

CVSS 3.1 Base Score 5.9. CVSS Attack Vector: network. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N).

Overview

First reported 4 years ago

2020-07-17 16:15:00

Last updated 4 years ago

2020-08-14 15:25:00

Affected Software

Debian Linux 9.0

9.0

Fedora 31

31

Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)

16.04

Canonical Ubuntu Linux 18.04 LTS Edition

18.04

Canonical Ubuntu Linux 20.04 LTS Edition

20.04

References

https://bugzilla.suse.com/show_bug.cgi?id=1173910

https://gitlab.gnome.org/GNOME//evolution-data-server/commit/ba82be72cfd427b5d72ff21f929b3a6d8529c4df

https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/f404f33fb01b23903c2bbb16791c7907e457fbac

https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/226

https://lists.debian.org/debian-lts-announce/2020/07/msg00012.html

https://security-tracker.debian.org/tracker/DLA-2281-1

https://security-tracker.debian.org/tracker/DSA-4725-1

DSA-4725

https://bugzilla.suse.com/show_bug.cgi?id=1173910

Issue Tracking, Patch, Third Party Advisory

https://gitlab.gnome.org/GNOME//evolution-data-server/commit/ba82be72cfd427b5d72ff21f929b3a6d8529c4df

Patch, Third Party Advisory

https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/f404f33fb01b23903c2bbb16791c7907e457fbac

Patch, Third Party Advisory

https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/226

Exploit, Third Party Advisory

https://lists.debian.org/debian-lts-announce/2020/07/msg00012.html

Mailing List, Third Party Advisory

https://security-tracker.debian.org/tracker/DLA-2281-1

Third Party Advisory

https://security-tracker.debian.org/tracker/DSA-4725-1

Third Party Advisory

DSA-4725

Third Party Advisory

USN-4429-1

FEDORA-2020-45041afb19

FEDORA-2020-45041afb19

Mailing List, Third Party Advisory

USN-4429-1

Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.