CVE-2014-2014

Current Description

imapsync before 1.584, when running with the --tls option, attempts a cleartext login when a certificate verification failure occurs, which allows remote attackers to obtain credentials by sniffing the network.

Basic Data

PublishedApril 18, 2014
Last ModifiedApril 21, 2014
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-255
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score4.3
SeverityMEDIUM
Exploitability Score8.6
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationGilles LamiralImapsync1.53*******
    2.3ApplicationGilles LamiralImapsync1.500*******
    2.3ApplicationGilles LamiralImapsync1.504*******
    2.3ApplicationGilles LamiralImapsync1.508*******
    2.3ApplicationGilles LamiralImapsync1.516*******
    2.3ApplicationGilles LamiralImapsync1.518*******
    2.3ApplicationGilles LamiralImapsync1.525*******
    2.3ApplicationGilles LamiralImapsync1.542*******
    2.3ApplicationGilles LamiralImapsync1.547*******
    2.3ApplicationGilles LamiralImapsync1.554*******
    2.3ApplicationGilles LamiralImapsync1.558*******
    2.3ApplicationGilles LamiralImapsync1.564*******
    2.3ApplicationGilles LamiralImapsync1.567*******
    2.3ApplicationGilles LamiralImapsync1.569*******
    2.3ApplicationGilles LamiralImapsync********1.580

Vulnerable Software List

VendorProductVersions
Gilles Lamiral Imapsync *, 1.500, 1.504, 1.508, 1.516, 1.518, 1.525, 1.53, 1.542, 1.547, 1.554, 1.558, 1.564, 1.567, 1.569

References

NameSourceURLTags
[oss-security] 20140217 CVE request: "imapsync ignores the --tls switch and sends my authentication plaintext."http://seclists.org/oss-sec/2014/q1/367MLIST
[oss-security] 20140218 Re: CVE request: "imapsync ignores the --tls switch and sends my authentication plaintext."http://seclists.org/oss-sec/2014/q1/378MLISTPATCH
[imapsync_list] 20140120 Re: [imapsync] STARTTLS support (#15)http://www.linux-france.org/prj/imapsync_list/msg01907.htmlMLIST
[imapsync_list] 20140122 Re: [imapsync] Upon certificate issues STARTTLS is ignored and the password sent in plaintext (#15)http://www.linux-france.org/prj/imapsync_list/msg01910.htmlMLIST
MDVSA-2014:060http://www.mandriva.com/security/advisories?name=MDVSA-2014:060MANDRIVA
https://bugs.mageia.org/show_bug.cgi?id=12770https://bugs.mageia.org/show_bug.cgi?id=12770CONFIRM
https://github.com/imapsync/imapsync/issues/15https://github.com/imapsync/imapsync/issues/15CONFIRM
FEDORA-2014-2505https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128293.htmlFEDORA