CVE-2020-15953

CVSS v3.1

7.4

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions LibEtPan versions 1.9.4 and earlier MailCore 2 versions 0.6.3 and earlier

Description The issue affects IMAP, SMTP, and POP3 protocols due to a STARTTLS buffering problem. When a server sends a "begin TLS" response, the client reads additional data, potentially from a meddler-in-the-middle attacker, and evaluates it in a TLS context. This is referred to as "response injection."

Recommendations For LibEtPan versions 1.9.4 and earlier, update to a version later than 1.9.4 to resolve the issue. For MailCore 2 versions 0.6.3 and earlier, update to a version later than 0.6.3 to resolve the issue. As a temporary workaround, consider restricting the use of STARTTLS in affected protocols until a patch is available.

Exploit

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

ALT-PU-2020-2908

ALT-PU-2020-2942

ALT-PU-2023-7015

ALT-PU-2023-7017

ALT-PU-2023-7051

ALT-PU-2023-7122

ALT-PU-2023-7434

CVE-2020-15953

DLA-2329-1

MGASA-2020-0366

OPENSUSE-SU-2020:1454-1

OPENSUSE-SU-2020:1505-1

OPENSUSE-SU-2020_1454-1

OPENSUSE-SU-2024:10938-1

USN-4598-1

Affected Products

Alt Linux

Libetpan

Mailcore 2

Suse

Ubuntu

CVE-2020-15953

Weakness Enumeration

Related Identifiers

Affected Products

References · 29