Vulnerability CVE-2021-39272

Vulnerability Name:

CVE-2021-39272 (CCN-208331)

Assigned:

2021-08-10

Published:

2021-08-10

Updated:

2022-10-28

Summary:

Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.

CVSS v3 Severity:

5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

5.9 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-319

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2021-39272

Source: MISC
Type: Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/08/27/3

Source: XF
Type: UNKNOWN
fetchmail-cve202139272-sec-bypass(208331)

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-ddefbdbb46

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-e61a978fef

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-9998719311

Source: MISC
Type: Third Party Advisory
https://nostarttls.secvuln.info/

Source: CCN
Type: oss-sec Mailing List, Fri, 27 Aug 2021 00:31:36 +0200
ANNOUNCE: fetchmail security announcement 2021-02 (CVE-2021-39272) - TLS bypass vulnerabilities ("NO STARTTLS")

Source: GENTOO
Type: Third Party Advisory
GLSA-202209-14

Source: CCN
Type: fetchmail Web site
fetchmail-SA-2021-02: STARTTLS session encryption bypassing

Source: MISC
Type: Vendor Advisory
https://www.fetchmail.info/security.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-39272

Vulnerable Configuration:

Configuration 1:

cpe:/a:fetchmail:fetchmail:*:*:*:*:*:*:*:* (Version < 6.4.22)

Configuration 2:

cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7882	P	fetchmailconf-6.4.22-20.26.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:7493	P	fetchmail-6.4.22-20.26.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:795	P	Security update for slurm_20_02 (Important)	2022-10-03
oval:org.opensuse.security:def:3265	P	libtasn1-4.9-3.10.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3548	P	libQt5Concurrent5-5.6.2-6.15.2 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3696	P	libvirglrenderer0-0.5.0-11.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3733	P	ovmf-2017+git1510945757.b2662641d5-3.16.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3508	P	gpg2-2.0.24-9.8.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94819	P	rpm-32bit-4.14.3-150300.46.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94620	P	libXvnc1-1.10.1-150400.5.6 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94548	P	fetchmail-6.4.22-20.26.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94660	P	libmarkdown2-2.2.4-1.41 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94895	P	fetchmailconf-6.4.22-20.26.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:2918	P	fetchmail-6.4.22-20.26.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94809	P	python3-requests-2.24.0-1.24 on GA media (Moderate)	2022-06-22
oval:com.redhat.rhsa:def:20221964	P	RHSA-2022:1964: fetchmail security update (Moderate)	2022-05-10
oval:org.opensuse.security:def:100090	P	(Important)	2022-03-07
oval:org.opensuse.security:def:112219	P	fetchmail-6.4.22-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:111172	P	Security update for fetchmail (Moderate)	2021-12-17
oval:org.opensuse.security:def:69970	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:108198	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:64822	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:101743	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:106071	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:10381	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:8690	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:92236	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:117553	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:65328	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:101532	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:73944	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:99381	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:9631	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:4174	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:70331	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:106270	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:74396	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:8880	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:92431	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:69577	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:1052	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:108039	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:64637	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:101563	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:105681	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:99580	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:9830	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:70521	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:65263	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:106469	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:101373	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:73759	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:98991	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:9075	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:92630	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:117712	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:69771	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:105876	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:74331	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:99779	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:10191	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:4239	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:92041	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:832	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:106756	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:111833	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:99186	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:9437	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:92829	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:111107	P	Security update for fetchmail (Moderate)	2021-10-31
oval:org.opensuse.security:def:4164	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:74386	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:1042	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:107999	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:64597	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:33030	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:65253	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:101333	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:73719	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:87494	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:117702	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:74321	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:4229	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:34574	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:58853	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:111760	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:108188	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:64785	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:101733	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:117513	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:65318	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:60397	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:101522	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:73907	P	Security update for fetchmail (Moderate)	2021-10-20

BACK