Vulnerability CVE-2020-15917

Vulnerability Name:

CVE-2020-15917 (CCN-185770)

Assigned:

2020-07-13

Published:

2020-07-13

Updated:

2022-11-16

Summary:

common/session.c in Claws Mail before 3.17.6 has a protocol violation because suffix data after STARTTLS is mishandled.

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2020-15917

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2020:1116

Source: SUSE
Type: Broken Link, Mailing List, Third Party Advisory
openSUSE-SU-2020:1139

Source: SUSE
Type: Broken Link, Mailing List, Third Party Advisory
openSUSE-SU-2020:1269

Source: SUSE
Type: Broken Link, Mailing List, Third Party Advisory
openSUSE-SU-2020:1192

Source: SUSE
Type: Broken Link, Mailing List, Third Party Advisory
openSUSE-SU-2020:1822

Source: XF
Type: UNKNOWN
clawsmail-cve202015917-weak-security(185770)

Source: MISC
Type: Release Notes, Vendor Advisory
https://git.claws-mail.org/?p=claws.git;a=blob;f=RELEASE_NOTES

Source: CCN
Type: Claws GIT Repository
fix STARTTLS protocol violation

Source: MISC
Type: Mailing List, Patch, Vendor Advisory
https://git.claws-mail.org/?p=claws.git;a=commit;h=fcc25329049b6f9bd8d890f1197ed61eb12e14d5

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-fe6c1a9c16

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-2def860ce7

Source: GENTOO
Type: Third Party Advisory
GLSA-202007-56

Vulnerable Configuration:

Configuration 1:

cpe:/a:claws-mail:claws-mail:*:*:*:*:*:*:*:* (Version < 3.17.6)

Configuration 2:

cpe:/o:fedoraproject:fedora:31:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:opensuse:leap:15.1:*:*:*:*:*:*:*

OR cpe:/a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*

OR cpe:/o:opensuse:leap:15.2:*:*:*:*:*:*:*

OR cpe:/a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:202015917	V	CVE-2020-15917	2022-06-30
oval:org.opensuse.security:def:112082	P	claws-mail-4.0.0-2.5 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:74398	P	Security update for libaom (Moderate)	2021-12-23
oval:org.opensuse.security:def:64823	P	Security update for icu.691 (Important)	2021-12-14
oval:org.opensuse.security:def:64795	P	Security update for libvirt (Moderate)	2021-11-05
oval:org.opensuse.security:def:64590	P	Security update for rpm (Important)	2021-10-15
oval:org.opensuse.security:def:105624	P	claws-mail-4.0.0-2.5 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:63201	P	dhcp-relay-4.3.5-4.15 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:63218	P	libshibsp-lite7-2.6.1-1.48 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:64765	P	Security update for ghostscript (Critical)	2021-09-15
oval:org.opensuse.security:def:64555	P	Security update for c-ares (Important)	2021-08-17
oval:org.opensuse.security:def:64556	P	Security update for libsndfile (Critical)	2021-08-17
oval:org.opensuse.security:def:63511	P	python2-Werkzeug-1.0.1-1.10 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63350	P	libspice-server-devel-0.14.3-1.48 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:62745	P	fwupd-1.5.8-1.13 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:63040	P	policycoreutils-devel-3.0-1.20 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:63015	P	jackson-databind-2.10.5.1-3.3.2 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:63008	P	glibc-devel-32bit-2.31-7.20 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62790	P	libimobiledevice-devel-1.2.0+git20180427.26373b3-1.40 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:63012	P	graphviz-perl-2.40.1-6.6.8 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:74656	P	Security update for apache-commons-compress (Important)	2021-08-05
oval:org.opensuse.security:def:64551	P	Security update for qemu (Important)	2021-07-27
oval:org.opensuse.security:def:103098	P	Security update for claws-mail (Moderate)	2021-07-16
oval:org.opensuse.security:def:11098	P	Security update for claws-mail (Moderate)	2021-07-16
oval:org.opensuse.security:def:110969	P	Security update for claws-mail (Moderate)	2021-07-16
oval:org.opensuse.security:def:96408	P	Security update for claws-mail (Moderate)	2021-07-16
oval:org.opensuse.security:def:111484	P	Security update for claws-mail (Moderate)	2021-07-16
oval:org.opensuse.security:def:109755	P	Security update for claws-mail (Moderate)	2021-07-16
oval:org.opensuse.security:def:63541	P	icedtea-web-1.7.1-1.48 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:64688	P	Security update for ipvsadm (Low)	2021-05-13
oval:org.opensuse.security:def:64687	P	Security update for dtc (Low)	2021-05-13
oval:org.opensuse.security:def:63069	P	gv-3.7.4-1.41 on GA media (Moderate)	2021-04-29
oval:org.opensuse.security:def:64478	P	Security update for apache-commons-io (Moderate)	2021-04-20
oval:org.opensuse.security:def:64458	P	Security update for xen (Important)	2021-04-06
oval:org.opensuse.security:def:64663	P	Security update for openldap2 (Important)	2021-03-08
oval:org.opensuse.security:def:63271	P	libct4-1.1.36-3.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62922	P	perl-YAML-LibYAML-0.59-1.16 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62590	P	libyaml-cpp0_6-0.6.1-2.15 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63409	P	nodejs12-12.18.0-2.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62589	P	libxcb-render0-32bit-1.13-3.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63635	P	libraw-devel-0.18.9-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63403	P	xalan-j2-2.7.2-2.41 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63172	P	nginx-1.14.0-1.14 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62613	P	NetworkManager-1.22.6-1.36 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63643	P	strongswan-nm-5.8.2-9.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63846	P	Security update for apache2-mod_perl (Moderate)	2020-12-01
oval:org.opensuse.security:def:64419	P	mutt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:63993	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:74530	P	Security update for opera (Moderate)	2020-12-01
oval:org.opensuse.security:def:64222	P	bzip2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64935	P	Security update for trousers (Moderate)	2020-12-01
oval:org.opensuse.security:def:64897	P	Security update for sysstat (Moderate)	2020-12-01
oval:org.opensuse.security:def:64202	P	ruby2.5-rubygem-rails-html-sanitizer on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:74877	P	Security update for libredwg (Moderate)	2020-12-01
oval:org.opensuse.security:def:64955	P	Security update for libvpx (Moderate)	2020-12-01
oval:org.opensuse.security:def:64304	P	libXi-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:63962	P	Security update for libgxps (Moderate)	2020-12-01
oval:org.opensuse.security:def:75010	P	Security update for claws-mail (Moderate)	2020-12-01
oval:org.opensuse.security:def:65067	P	Security update for ucode-intel (Moderate)	2020-12-01
oval:org.opensuse.security:def:64346	P	libltdl7 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64334	P	libipa_hbac-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64096	P	Security update for gcc10 (Moderate)	2020-12-01
oval:org.opensuse.security:def:63767	P	Recommended update for NetworkManager (Low)	2020-12-01
oval:org.opensuse.security:def:75009	P	Security update for libraw (Moderate)	2020-12-01
oval:org.opensuse.security:def:63714	P	Security update for gstreamer-plugins-base (Important)	2020-12-01
oval:org.opensuse.security:def:64436	P	perl-Mail-SpamAssassin on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64094	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:75142	P	Security update for claws-mail (Moderate)	2020-12-01
oval:org.opensuse.security:def:63861	P	Security update for procps (Important)	2020-12-01
oval:org.opensuse.security:def:64228	P	conntrack-tools on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64090	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:74524	P	Security update for claws-mail (Moderate)	2020-12-01
oval:org.opensuse.security:def:100258	P	Security update for claws-mail (Moderate)	2020-11-03
oval:org.opensuse.security:def:110837	P	Security update for claws-mail (Moderate)	2020-11-03
oval:org.opensuse.security:def:96383	P	Security update for claws-mail (Moderate)	2020-11-03
oval:org.opensuse.security:def:109730	P	Security update for claws-mail (Moderate)	2020-11-03
oval:org.opensuse.security:def:110280	P	Security update for claws-mail (Moderate)	2020-11-03
oval:org.opensuse.security:def:103073	P	Security update for claws-mail (Moderate)	2020-11-03
oval:org.opensuse.security:def:93545	P	Security update for claws-mail (Moderate)	2020-11-03
oval:org.opensuse.security:def:93506	P	Security update for claws-mail (Moderate)	2020-08-27
oval:org.opensuse.security:def:100219	P	Security update for claws-mail (Moderate)	2020-08-27
oval:org.opensuse.security:def:96348	P	Security update for claws-mail (Moderate)	2020-08-12
oval:org.opensuse.security:def:109695	P	Security update for claws-mail (Moderate)	2020-08-12
oval:org.opensuse.security:def:103038	P	Security update for claws-mail (Moderate)	2020-08-12
oval:org.opensuse.security:def:110705	P	Security update for claws-mail (Moderate)	2020-08-03
oval:org.opensuse.security:def:110148	P	Security update for claws-mail (Moderate)	2020-07-31

BACK