CVE-2020-15953

HIGH EPSS 81.9%
Published Jul 27, 20205y ago · Modified Jun 17, 20262w ago
7.4 CVSS 3.1
High
Find Similar
Published Jul 27, 2020 5y ago
Last Modified Jun 17, 2026 2w ago

Description

LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection."

CVSS Details

Base Score
7.4
Exploitability
2.2
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
81.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-74

Affected Products 5

VendorProductVersionRange
libetpan_projectlibetpan* ≤1.9.4
libmailcoremailcore2* ≤0.6.3
fedoraprojectfedora31any
fedoraprojectfedora32any
debiandebian_linux9.0any

References 7

  • lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00060.html
    Broken Link
  • lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00075.html
    Broken Link
  • github.com https://github.com/dinhvh/libetpan/issues/386
    ExploitPatchThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2020/08/msg00026.html
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M65FVH5XPS23NLHFN3ABEGBSCHZAISXN/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QFBWNA5REI5ZGW2DAOEAVHM23MOU6O5J/
  • security.gentoo.org https://security.gentoo.org/glsa/202007-55
    Third Party Advisory

Remediation

  • github.com https://github.com/dinhvh/libetpan/issues/386
    ExploitPatchThird Party Advisory