CVE-2020-15953

LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection."
Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 78%
VendorProductVersion
libetpan_projectlibetpan
𝑥
≤ 1.9.4
libmailcoremailcore2
𝑥
≤ 0.6.3
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libetpan
bullseye
1.9.4-3
fixed
bookworm
1.9.4-3.1
fixed
sid
1.9.4-4
fixed
trixie
1.9.4-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libetpan
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
hirsute
ignored
groovy
ignored
focal
needs-triage
bionic
needs-triage
xenial
Fixed 1.6-1ubuntu0.1
released
trusty
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00060.html
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00075.html
https://github.com/dinhvh/libetpan/issues/386
https://lists.debian.org/debian-lts-announce/2020/08/msg00026.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M65FVH5XPS23NLHFN3ABEGBSCHZAISXN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QFBWNA5REI5ZGW2DAOEAVHM23MOU6O5J/
https://security.gentoo.org/glsa/202007-55
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00060.html
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00075.html
https://github.com/dinhvh/libetpan/issues/386
https://lists.debian.org/debian-lts-announce/2020/08/msg00026.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M65FVH5XPS23NLHFN3ABEGBSCHZAISXN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QFBWNA5REI5ZGW2DAOEAVHM23MOU6O5J/
https://security.gentoo.org/glsa/202007-55