isync/mbsync didn't validate the mailbox names returned by IMAP LIST/LSUB, which would allow a malicious/compromised server to use specially crafted mailbox names containing '..' path components to access data outside the designated mailbox on the opposite end of the synchronization channel. This is fixed in mbsync versions 1.3.5 and 1.4.1.
isync/mbsync didn't validate the mailbox names returned by IMAP LIST/LSUB, which would allow a malicious/compromised server to use specially crafted mailbox names containing '..' path components to access data outside the designated mailbox on the opposite end of the synchronization channel. This is fixed in mbsync versions 1.3.5 and 1.4.1.
https://www.openwall.com/lists/oss-security/2021/02/22/1 https://sourceforge.net/p/isync/isync/ci/fe5d59f8e3169944e57eb1c60155c9ebd4912d48/