Vulnerability-Lookup

CVE-2021-39272 (GCVE-0-2021-39272)

Vulnerability from cvelistv5 – Published: 2021-08-30 05:05 – Updated: 2024-08-04 02:06

Summary

Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://www.fetchmail.info/security.html	x_refsource_MISC
	https://nostarttls.secvuln.info/	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2021/08/27/3	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://security.gentoo.org/glsa/202209-14	vendor-advisoryx_refsource_GENTOO

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T02:06:41.615Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.fetchmail.info/security.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://nostarttls.secvuln.info/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/08/27/3"
          },
          {
            "name": "FEDORA-2021-ddefbdbb46",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XJ6XLEJCEZCAM5LGGD6XBCC522QLG4/"
          },
          {
            "name": "FEDORA-2021-9998719311",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZYCYLL73NP7ALJWSDICIVSA47ZIXWSSA/"
          },
          {
            "name": "FEDORA-2021-e61a978fef",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXMKSEHAQSEDCWZMAOJEGX3P3JW6QY6H/"
          },
          {
            "name": "GLSA-202209-14",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202209-14"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-25T15:07:04.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.fetchmail.info/security.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://nostarttls.secvuln.info/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/08/27/3"
        },
        {
          "name": "FEDORA-2021-ddefbdbb46",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XJ6XLEJCEZCAM5LGGD6XBCC522QLG4/"
        },
        {
          "name": "FEDORA-2021-9998719311",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZYCYLL73NP7ALJWSDICIVSA47ZIXWSSA/"
        },
        {
          "name": "FEDORA-2021-e61a978fef",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXMKSEHAQSEDCWZMAOJEGX3P3JW6QY6H/"
        },
        {
          "name": "GLSA-202209-14",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202209-14"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-39272",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.fetchmail.info/security.html",
              "refsource": "MISC",
              "url": "https://www.fetchmail.info/security.html"
            },
            {
              "name": "https://nostarttls.secvuln.info/",
              "refsource": "MISC",
              "url": "https://nostarttls.secvuln.info/"
            },
            {
              "name": "http://www.openwall.com/lists/oss-security/2021/08/27/3",
              "refsource": "MISC",
              "url": "http://www.openwall.com/lists/oss-security/2021/08/27/3"
            },
            {
              "name": "FEDORA-2021-ddefbdbb46",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3XJ6XLEJCEZCAM5LGGD6XBCC522QLG4/"
            },
            {
              "name": "FEDORA-2021-9998719311",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZYCYLL73NP7ALJWSDICIVSA47ZIXWSSA/"
            },
            {
              "name": "FEDORA-2021-e61a978fef",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXMKSEHAQSEDCWZMAOJEGX3P3JW6QY6H/"
            },
            {
              "name": "GLSA-202209-14",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202209-14"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-39272",
    "datePublished": "2021-08-30T05:05:26.000Z",
    "dateReserved": "2021-08-18T00:00:00.000Z",
    "dateUpdated": "2024-08-04T02:06:41.615Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

FKIE_CVE-2021-39272

Vulnerability from fkie_nvd - Published: 2021-08-30 06:15 - Updated: 2024-11-21 06:19

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.

References

URL	Tags
cve@mitre.org	http://www.openwall.com/lists/oss-security/2021/08/27/3	Mailing List, Third Party Advisory
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XJ6XLEJCEZCAM5LGGD6XBCC522QLG4/
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXMKSEHAQSEDCWZMAOJEGX3P3JW6QY6H/
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZYCYLL73NP7ALJWSDICIVSA47ZIXWSSA/
cve@mitre.org	https://nostarttls.secvuln.info/	Third Party Advisory
cve@mitre.org	https://security.gentoo.org/glsa/202209-14	Third Party Advisory
cve@mitre.org	https://www.fetchmail.info/security.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2021/08/27/3	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XJ6XLEJCEZCAM5LGGD6XBCC522QLG4/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXMKSEHAQSEDCWZMAOJEGX3P3JW6QY6H/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZYCYLL73NP7ALJWSDICIVSA47ZIXWSSA/
af854a3a-2127-422b-91ae-364da2661108	https://nostarttls.secvuln.info/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.gentoo.org/glsa/202209-14	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.fetchmail.info/security.html	Vendor Advisory

Impacted products

Vendor	Product	Version
fetchmail	fetchmail	*
fedoraproject	fedora	33
fedoraproject	fedora	34
fedoraproject	fedora	35

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:fetchmail:fetchmail:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4AD13C43-606A-433C-98D9-1A24397CD739",
              "versionEndExcluding": "6.4.22",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
              "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
              "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
              "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH."
    },
    {
      "lang": "es",
      "value": "Fetchmail versiones anteriores a 6.4.22, no puede aplicar el cifrado de sesi\u00f3n STARTTLS en determinadas circunstancias, como una situaci\u00f3n con IMAP y PREAUTH."
    }
  ],
  "id": "CVE-2021-39272",
  "lastModified": "2024-11-21T06:19:05.287",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-08-30T06:15:06.450",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2021/08/27/3"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XJ6XLEJCEZCAM5LGGD6XBCC522QLG4/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXMKSEHAQSEDCWZMAOJEGX3P3JW6QY6H/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZYCYLL73NP7ALJWSDICIVSA47ZIXWSSA/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://nostarttls.secvuln.info/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202209-14"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.fetchmail.info/security.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2021/08/27/3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XJ6XLEJCEZCAM5LGGD6XBCC522QLG4/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXMKSEHAQSEDCWZMAOJEGX3P3JW6QY6H/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZYCYLL73NP7ALJWSDICIVSA47ZIXWSSA/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://nostarttls.secvuln.info/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202209-14"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.fetchmail.info/security.html"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-319"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2021-39272

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.

Aliases

CVE-2021-39272

Aliases

CVE-2021-39272

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-39272",
    "description": "Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.",
    "id": "GSD-2021-39272",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-39272.html",
      "https://advisories.mageia.org/CVE-2021-39272.html",
      "https://security.archlinux.org/CVE-2021-39272",
      "https://linux.oracle.com/cve/CVE-2021-39272.html",
      "https://access.redhat.com/errata/RHSA-2022:1964"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-39272"
      ],
      "details": "Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.",
      "id": "GSD-2021-39272",
      "modified": "2023-12-13T01:23:15.576658Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2021-39272",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.fetchmail.info/security.html",
            "refsource": "MISC",
            "url": "https://www.fetchmail.info/security.html"
          },
          {
            "name": "https://nostarttls.secvuln.info/",
            "refsource": "MISC",
            "url": "https://nostarttls.secvuln.info/"
          },
          {
            "name": "http://www.openwall.com/lists/oss-security/2021/08/27/3",
            "refsource": "MISC",
            "url": "http://www.openwall.com/lists/oss-security/2021/08/27/3"
          },
          {
            "name": "FEDORA-2021-ddefbdbb46",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3XJ6XLEJCEZCAM5LGGD6XBCC522QLG4/"
          },
          {
            "name": "FEDORA-2021-9998719311",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZYCYLL73NP7ALJWSDICIVSA47ZIXWSSA/"
          },
          {
            "name": "FEDORA-2021-e61a978fef",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXMKSEHAQSEDCWZMAOJEGX3P3JW6QY6H/"
          },
          {
            "name": "GLSA-202209-14",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202209-14"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:fetchmail:fetchmail:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.4.22",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-39272"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-319"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://nostarttls.secvuln.info/",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://nostarttls.secvuln.info/"
            },
            {
              "name": "http://www.openwall.com/lists/oss-security/2021/08/27/3",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/08/27/3"
            },
            {
              "name": "https://www.fetchmail.info/security.html",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.fetchmail.info/security.html"
            },
            {
              "name": "FEDORA-2021-ddefbdbb46",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3XJ6XLEJCEZCAM5LGGD6XBCC522QLG4/"
            },
            {
              "name": "FEDORA-2021-9998719311",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZYCYLL73NP7ALJWSDICIVSA47ZIXWSSA/"
            },
            {
              "name": "FEDORA-2021-e61a978fef",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXMKSEHAQSEDCWZMAOJEGX3P3JW6QY6H/"
            },
            {
              "name": "GLSA-202209-14",
              "refsource": "GENTOO",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202209-14"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.2,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-10-28T13:18Z",
      "publishedDate": "2021-08-30T06:15Z"
    }
  }
}

cve-2021-39272

Vulnerability from osv_almalinux

Published

2022-05-10 06:41

Modified

2022-05-10 08:09

Summary

Moderate: fetchmail security update

Details

Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP links, like SLIP or PPP connections. Fetchmail supports every remote-mail protocol currently in use on the Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN, IPv6, and IPSEC) for retrieval. Then Fetchmail forwards the mail through SMTP so the user can read it through their favorite mail client.

Security Fix(es):

fetchmail: DoS or information disclosure when logging long messages (CVE-2021-36386)
fetchmail: STARTTLS session encryption bypassing (CVE-2021-39272)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "fetchmail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.4.24-1.el8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP links, like SLIP or PPP connections. Fetchmail supports every remote-mail protocol currently in use on the Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN, IPv6, and IPSEC) for retrieval. Then Fetchmail forwards the mail through SMTP so the user can read it through their favorite mail client.\n\nSecurity Fix(es):\n\n* fetchmail: DoS or information disclosure when logging long messages (CVE-2021-36386)\n\n* fetchmail: STARTTLS session encryption bypassing (CVE-2021-39272)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
  "id": "ALSA-2022:1964",
  "modified": "2022-05-10T08:09:49Z",
  "published": "2022-05-10T06:41:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2022-1964.html"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2021-36386"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2021-39272"
    }
  ],
  "related": [
    "CVE-2021-36386",
    "CVE-2021-39272"
  ],
  "summary": "Moderate: fetchmail security update"
}

GHSA-X8J8-PWR7-FRJW

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-07-13 00:01

Details

Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.

Severity ?

5.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-39272"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319",
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-30T06:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.",
  "id": "GHSA-x8j8-pwr7-frjw",
  "modified": "2022-07-13T00:01:36Z",
  "published": "2022-05-24T19:12:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39272"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3XJ6XLEJCEZCAM5LGGD6XBCC522QLG4"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXMKSEHAQSEDCWZMAOJEGX3P3JW6QY6H"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZYCYLL73NP7ALJWSDICIVSA47ZIXWSSA"
    },
    {
      "type": "WEB",
      "url": "https://nostarttls.secvuln.info"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202209-14"
    },
    {
      "type": "WEB",
      "url": "https://www.fetchmail.info/security.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/08/27/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-39272 (GCVE-0-2021-39272)

FKIE_CVE-2021-39272

GSD-2021-39272

cve-2021-39272

Vulnerability from osv_almalinux

GHSA-X8J8-PWR7-FRJW

Tags

Sightings

Nomenclature