Vulnerability Description
GNOME Geary before 3.36.3 mishandles pinned TLS certificate verification for IMAP and SMTP services using invalid TLS certificates (e.g., self-signed certificates) when the client system is not configured to use a system-provided PKCS#11 store. This allows a meddler in the middle to present a different invalid certificate to intercept incoming and outgoing mail.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnome | Geary | < 3.36.3 |
| Fedoraproject | Fedora | 31 |
Related Weaknesses (CWE)
References
- https://gitlab.gnome.org/GNOME/geary/-/issues/866ExploitIssue TrackingThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://tools.cisco.com/security/center/content/CiscoSeg/message/NS6CSTOBVO5HSARBroken Link
- https://gitlab.gnome.org/GNOME/geary/-/issues/866ExploitIssue TrackingThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://tools.cisco.com/security/center/content/CiscoSeg/message/NS6CSTOBVO5HSARBroken Link
FAQ
What is CVE-2020-24661?
CVE-2020-24661 is a vulnerability with a CVSS score of 5.9 (MEDIUM). GNOME Geary before 3.36.3 mishandles pinned TLS certificate verification for IMAP and SMTP services using invalid TLS certificates (e.g., self-signed certificates) when the client system is not config...
How severe is CVE-2020-24661?
CVE-2020-24661 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-24661?
Check the references section above for vendor advisories and patch information. Affected products include: Gnome Geary, Fedoraproject Fedora.