Name of the Vulnerable Software and Affected Versions sssmtp (affected versions not specified)

Description The issue concerns a lack of x509 certificate validation when ssmtp initiates a TLS connection to a server. This could allow a rogue server to conduct a man-in-the-middle attack, potentially leading to a user credentials leak. Alterations to the configuration may be required when using TLS.

Recommendations To address the issue, uncomment the line TLS CA File=/etc/pki/tls/certs/ca-bundle.crt in the ssmtp.conf file if TLS authentication is used. This will load root certificates, which should be created as ssmtp.conf.rpmnew if the configuration has been altered.