Current Description

imapsync before 1.584, when running with the --tls option, attempts a cleartext login when a certificate verification failure occurs, which allows remote attackers to obtain credentials by sniffing the network.

Basic Data

PublishedApril 18, 2014
Last ModifiedApril 21, 2014
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-255
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score4.3
Exploitability Score8.6
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.


  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationGilles LamiralImapsync1.53*******
    2.3ApplicationGilles LamiralImapsync1.500*******
    2.3ApplicationGilles LamiralImapsync1.504*******
    2.3ApplicationGilles LamiralImapsync1.508*******
    2.3ApplicationGilles LamiralImapsync1.516*******
    2.3ApplicationGilles LamiralImapsync1.518*******
    2.3ApplicationGilles LamiralImapsync1.525*******
    2.3ApplicationGilles LamiralImapsync1.542*******
    2.3ApplicationGilles LamiralImapsync1.547*******
    2.3ApplicationGilles LamiralImapsync1.554*******
    2.3ApplicationGilles LamiralImapsync1.558*******
    2.3ApplicationGilles LamiralImapsync1.564*******
    2.3ApplicationGilles LamiralImapsync1.567*******
    2.3ApplicationGilles LamiralImapsync1.569*******
    2.3ApplicationGilles LamiralImapsync********1.580

Vulnerable Software List

Gilles Lamiral Imapsync *, 1.500, 1.504, 1.508, 1.516, 1.518, 1.525, 1.53, 1.542, 1.547, 1.554, 1.558, 1.564, 1.567, 1.569


[oss-security] 20140217 CVE request: "imapsync ignores the --tls switch and sends my authentication plaintext."
[oss-security] 20140218 Re: CVE request: "imapsync ignores the --tls switch and sends my authentication plaintext."
[imapsync_list] 20140120 Re: [imapsync] STARTTLS support (#15)
[imapsync_list] 20140122 Re: [imapsync] Upon certificate issues STARTTLS is ignored and the password sent in plaintext (#15)