CVE-2021-39272 : Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some cir

Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.

Published 2021-08-30 06:15:06

Updated 2022-10-28 13:18:38

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2021-39272

Fetchmail » Fetchmail
Versions before (<) 6.4.22
cpe:2.3:a:fetchmail:fetchmail:*:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.11%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 26 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Assigned by: nvd@nist.gov (Primary)

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXMKSEHAQSEDCWZMAOJEGX3P3JW6QY6H/

[SECURITY] Fedora 35 Update: fetchmail-6.4.22-1.fc35 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://www.fetchmail.info/security.html

Fetchmail
Vendor Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3XJ6XLEJCEZCAM5LGGD6XBCC522QLG4/

[SECURITY] Fedora 34 Update: fetchmail-6.4.22-1.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://nostarttls.secvuln.info/

NO STARTTLS
Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/202209-14

Fetchmail: Multiple Vulnerabilities (GLSA 202209-14) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZYCYLL73NP7ALJWSDICIVSA47ZIXWSSA/

[SECURITY] Fedora 33 Update: fetchmail-6.4.22-1.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/08/27/3

oss-security - ANNOUNCE: fetchmail security announcement 2021-02 (CVE-2021-39272) - TLS bypass vulnerabilities ("NO STARTTLS")
Mailing List;Third Party Advisory

Jump to