CVE-2016-10727

Name of the Vulnerable Software and Affected Versions evolution-data-server versions prior to 3.21.2

Description The issue allows remote attackers to obtain sensitive information by sniffing the network due to incorrect handling of cleartext data containing a password when the client wishes to use STARTTLS but the server will not use it. The server code was intended to report an error and not proceed, but it was written incorrectly.

Recommendations For versions prior to 3.21.2, update to version 3.21.2 or later to resolve the issue. As a temporary workaround, consider disabling the use of cleartext passwords or restricting network access to minimize the risk of exploitation.