CVE-2020-29547

EUVD-2020-21913
An issue was discovered in Citadel through webcit-926. Meddler-in-the-middle attackers can pipeline commands after POP3 STLS, IMAP STARTTLS, or SMTP STARTTLS commands, injecting cleartext commands into an encrypted user session. This can lead to credential disclosure.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA-ADPADP
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 60%
Affected Products (NVD)
VendorProductVersion
citadelwebcit
𝑥
≤ 926
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
citadel
bionic
needs-triage
focal
needs-triage
hirsute
ignored
impish
ignored
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
needs-triage
Common Weakness Enumeration
References
http://uncensored.citadel.org/dotgoto?room=Citadel%20Security
http://uncensored.citadel.org/msg/4576039
http://uncensored.citadel.org/dotgoto?room=Citadel%20Security
http://uncensored.citadel.org/msg/4576039