Jon Kristensen

**Name of the Vulnerable Software and Affected Versions** evolution-data-server versions prior to 3.21.2 **Description** The issue allows remote attackers to obtain sensitive information by sniffing the network due to incorrect handling of cleartext data containing a password when the client wishes to use STARTTLS but the server will not use it. The server code was intended to report an error and not proceed, but it was written incorrectly. **Recommendations** For versions prior to 3.21.2, update to version 3.21.2 or later to resolve the issue. As a temporary workaround, consider disabling the use of cleartext passwords or restricting network access to minimize the risk of exploitation.