GHSA-899r-9fxv-q4xmMediumCVSS 6.5
OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication...
🔗 CVE IDs covered (1)
📋 Description
OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.
🔗 References (6)
- https://nvd.nist.gov/vuln/detail/CVE-2020-37248
- https://github.com/OfflineIMAP/offlineimap/issues/669
- https://github.com/OfflineIMAP/offlineimap3/issues/222
- https://github.com/OfflineIMAP/offlineimap3/commit/46505c53ef995455d66c685f9ec3ff6ea93dbb74
- https://pypi.org/project/offlineimap/#history
- https://github.com/advisories/GHSA-899r-9fxv-q4xm