Vulnerability Name:

CVE-2021-39272 (CCN-208331)

Assigned:2021-08-10
Published:2021-08-10
Updated:2022-10-28
Summary:Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.
CVSS v3 Severity:5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
5.9 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-319
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2021-39272

Source: MISC
Type: Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/08/27/3

Source: XF
Type: UNKNOWN
fetchmail-cve202139272-sec-bypass(208331)

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-ddefbdbb46

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-e61a978fef

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-9998719311

Source: MISC
Type: Third Party Advisory
https://nostarttls.secvuln.info/

Source: CCN
Type: oss-sec Mailing List, Fri, 27 Aug 2021 00:31:36 +0200
ANNOUNCE: fetchmail security announcement 2021-02 (CVE-2021-39272) - TLS bypass vulnerabilities ("NO STARTTLS")

Source: GENTOO
Type: Third Party Advisory
GLSA-202209-14

Source: CCN
Type: fetchmail Web site
fetchmail-SA-2021-02: STARTTLS session encryption bypassing

Source: MISC
Type: Vendor Advisory
https://www.fetchmail.info/security.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-39272

Vulnerable Configuration:Configuration 1:
  • cpe:/a:fetchmail:fetchmail:*:*:*:*:*:*:*:* (Version < 6.4.22)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7882
    P
    		fetchmailconf-6.4.22-20.26.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:7493
    P
    		fetchmail-6.4.22-20.26.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:795
    P
    		Security update for slurm_20_02 (Important)
    2022-10-03
    oval:org.opensuse.security:def:3265
    P
    		libtasn1-4.9-3.10.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3548
    P
    		libQt5Concurrent5-5.6.2-6.15.2 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3696
    P
    		libvirglrenderer0-0.5.0-11.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3733
    P
    		ovmf-2017+git1510945757.b2662641d5-3.16.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3508
    P
    		gpg2-2.0.24-9.8.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94819
    P
    		rpm-32bit-4.14.3-150300.46.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94620
    P
    		libXvnc1-1.10.1-150400.5.6 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94548
    P
    		fetchmail-6.4.22-20.26.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94660
    P
    		libmarkdown2-2.2.4-1.41 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94895
    P
    		fetchmailconf-6.4.22-20.26.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:2918
    P
    		fetchmail-6.4.22-20.26.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94809
    P
    		python3-requests-2.24.0-1.24 on GA media (Moderate)
    2022-06-22
    oval:com.redhat.rhsa:def:20221964
    P
    		RHSA-2022:1964: fetchmail security update (Moderate)
    2022-05-10
    oval:org.opensuse.security:def:100090
    P
    		 (Important)
    2022-03-07
    oval:org.opensuse.security:def:112219
    P
    		fetchmail-6.4.22-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:111172
    P
    		Security update for fetchmail (Moderate)
    2021-12-17
    oval:org.opensuse.security:def:69970
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:108198
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:64822
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:101743
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:106071
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:10381
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:8690
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:92236
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:117553
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:65328
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:101532
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:73944
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:99381
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:9631
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:4174
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:70331
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:106270
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:74396
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:8880
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:92431
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:69577
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:1052
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:108039
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:64637
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:101563
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:105681
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:99580
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:9830
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:70521
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:65263
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:106469
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:101373
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:73759
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:98991
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:9075
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:92630
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:117712
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:69771
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:105876
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:74331
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:99779
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:10191
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:4239
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:92041
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:832
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:106756
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:111833
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:99186
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:9437
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:92829
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    oval:org.opensuse.security:def:111107
    P
    		Security update for fetchmail (Moderate)
    2021-10-31
    oval:org.opensuse.security:def:4164
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:74386
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:1042
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:107999
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:64597
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:33030
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:65253
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:101333
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:73719
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:87494
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:117702
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:74321
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:4229
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:34574
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:58853
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:111760
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:108188
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:64785
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:101733
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:117513
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:65318
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:60397
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:101522
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:73907
    P
    		Security update for fetchmail (Moderate)
    2021-10-20
    BACK
    fetchmail fetchmail *
    fedoraproject fedora 33
    fedoraproject fedora 34
    fedoraproject fedora 35