Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.4
CVSSv3

CVE-2021-20247

Published: 23/02/2021 Updated: 07/11/2023
CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.4 | Impact Score: 5.2 | Exploitability Score: 2.2
VMScore: 516
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
Subscribe to Mbsync

Vulnerability Summary

A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of the mailbox names returned by IMAP LIST/LSUB do not occur allowing a malicious or compromised server to use specially crafted mailbox names containing '..' path components to access data outside the designated mailbox on the opposite end of the synchronization channel. The highest threat from this vulnerability is to data confidentiality and integrity.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

mbsync project mbsync

debian debian linux 9.0

fedoraproject fedora 32

fedoraproject fedora 33

fedoraproject extra packages for enterprise linux 8.0

Vendor Advisories

Debian CVElist Bug Report Logs: isync: CVE-2021-20247: reject funny mailbox names from IMAP LIST/LSUB
Debian Bug report logs - #983351 isync: CVE-2021-20247: reject funny mailbox names from IMAP LIST/LSUB Package: src:isync; Maintainer for src:isync is Nicolas Boullis <nboullis@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 22 Feb 2021 19:45:01 UTC Severity: important Tags: patch, pendi ...
Arch Linux Issues:
isync/mbsync didn't validate the mailbox names returned by IMAP LIST/LSUB, which would allow a malicious/compromised server to use specially crafted mailbox names containing '' path components to access data outside the designated mailbox on the opposite end of the synchronization channel This is fixed in mbsync versions 135 and 141 ...

References

CWE-22https://bugzilla.redhat.com/show_bug.cgi?id=1928963https://www.openwall.com/lists/oss-security/2021/02/22/1https://lists.debian.org/debian-lts-announce/2022/07/msg00001.htmlhttps://security.gentoo.org/glsa/202208-15https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CAXQLCK35QGRCRENRTGKJO4VVZGUXUJJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVDEBZQJMWDW5JFK4NTHH6DAFNAZTESW/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983351https://nvd.nist.govhttps://security.archlinux.org/CVE-2021-20247
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
hardcodedarbitrary codeCVE-2024-2404CVE-2024-21111CVE-2024-28627CVE-2024-4073information disclosureCVE-2024-32780CVE-2024-4040
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook