Vulnerability CVE-2020-24661


Published: 2020-08-26

Description:
GNOME Geary before 3.36.3 mishandles pinned TLS certificate verification for IMAP and SMTP services using invalid TLS certificates (e.g., self-signed certificates) when the client system is not configured to use a system-provided PKCS#11 store. This allows a meddler in the middle to present a different invalid certificate to intercept incoming and outgoing mail.

Type:

CWE-295

(Certificate Issues)

CVSS2 => (AV:N/AC:H/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
2.6/10
2.9/10
4.9/10
Exploit range
Attack complexity
Authentication
Remote
High
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Gnome -> Geary 

 References:
https://gitlab.gnome.org/GNOME/geary/-/issues/866
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS6CSTOBVO5HSAR3X5CT6DS6QDHXDB26/

Copyright 2024, cxsecurity.com

 

Back to Top