Vulnerability Description
plugins/rssyl/feed.c in Claws Mail before 3.10.0 disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Claws-Mail | Claws-Mail | <= 3.9.3 |
| Opensuse | Opensuse | 12.3 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-updates/2014-10/msg00015.html
- http://seclists.org/oss-sec/2014/q1/636
- http://secunia.com/advisories/60422
- http://sourceforge.net/p/claws-mail/news/2014/05/claws-mail-3100-unleashed/
- http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3106Vendor Advisory
- http://lists.opensuse.org/opensuse-updates/2014-10/msg00015.html
- http://seclists.org/oss-sec/2014/q1/636
- http://secunia.com/advisories/60422
- http://sourceforge.net/p/claws-mail/news/2014/05/claws-mail-3100-unleashed/
- http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3106Vendor Advisory
FAQ
What is CVE-2014-2576?
CVE-2014-2576 is a vulnerability with a CVSS score of 6.8 (MEDIUM). plugins/rssyl/feed.c in Claws Mail before 3.10.0 disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-i...
How severe is CVE-2014-2576?
CVE-2014-2576 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-2576?
Check the references section above for vendor advisories and patch information. Affected products include: Claws-Mail Claws-Mail, Opensuse Opensuse.