CVE-2020-15953

EUVD-2020-7924
LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection."
Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
Affected Products (NVD)
VendorProductVersion
libetpan_projectlibetpan
𝑥
≤ 1.9.4
libmailcoremailcore2
𝑥
≤ 0.6.3
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libetpan
bookworm
1.9.4-3.1
fixed
bullseye
1.9.4-3
fixed
sid
1.9.4-4
fixed
trixie
1.9.4-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libetpan
bionic
needs-triage
focal
needs-triage
groovy
ignored
hirsute
ignored
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
dne
xenial
Fixed 1.6-1ubuntu0.1
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00060.html
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00075.html
https://github.com/dinhvh/libetpan/issues/386
https://lists.debian.org/debian-lts-announce/2020/08/msg00026.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M65FVH5XPS23NLHFN3ABEGBSCHZAISXN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QFBWNA5REI5ZGW2DAOEAVHM23MOU6O5J/
https://security.gentoo.org/glsa/202007-55
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00060.html
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00075.html
https://github.com/dinhvh/libetpan/issues/386
https://lists.debian.org/debian-lts-announce/2020/08/msg00026.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M65FVH5XPS23NLHFN3ABEGBSCHZAISXN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QFBWNA5REI5ZGW2DAOEAVHM23MOU6O5J/
https://security.gentoo.org/glsa/202007-55