CVE-2020-14928
Published: 8 July 2020
evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that affects SMTP and POP3. When a server sends a "begin TLS" response, eds reads additional data and evaluates it in a TLS context, aka "response injection."
Priority
Status
Package | Release | Status |
---|---|---|
evolution-data-server Launchpad, Ubuntu, Debian |
focal |
Released
(3.36.3-0ubuntu1.1)
|
bionic |
Released
(3.28.5-0ubuntu0.18.04.3)
|
|
eoan |
Ignored
(end of life)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(3.36.4-1)
|
|
xenial |
Released
(3.18.5-1ubuntu1.3)
|
|
Patches: upstream: https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/f404f33fb01b23903c2bbb16791c7907e457fbac upstream: https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/b74b765188d96803814acf69a510a7160d9ee6c5 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.9 |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |