CVE-2014-2014 - OpenCVE

imapsync before 1.584, when running with the --tls option, attempts a cleartext login when a certificate verification failure occurs, which allows remote attackers to obtain credentials by sniffing the network.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Imapsync Project	Imapsync

Configuration 1 [-]

OR	cpe:2.3:a:imapsync_project:imapsync::::::::
	cpe:2.3:a:imapsync_project:imapsync:1.53:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.500:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.504:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.508:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.516:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.518:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.525:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.542:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.547:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.554:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.558:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.564:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.567:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.569:::::::*

References

Link	Resource
http://seclists.org/oss-sec/2014/q1/367
http://seclists.org/oss-sec/2014/q1/378	Patch
http://www.linux-france.org/prj/imapsync_list/msg01907.html
http://www.linux-france.org/prj/imapsync_list/msg01910.html
http://www.mandriva.com/security/advisories?name=MDVSA-2014:060
https://bugs.mageia.org/show_bug.cgi?id=12770
https://github.com/imapsync/imapsync/issues/15
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128293.html

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2014-04-18T19:00:00

Updated: 2014-04-18T18:57:00

Reserved: 2014-02-17T00:00:00

Link: CVE-2014-2014

JSON object: View

NVD Information

Status : Analyzed

Published: 2014-04-18T22:14:35.980

Modified: 2023-06-07T13:59:55.603

Link: CVE-2014-2014

JSON object: View

Redhat Information

No data.

CWE

CWE-255

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-01-20T00:00:00", "descriptions": [{"lang": "en", "value": "imapsync before 1.584, when running with the --tls option, attempts a cleartext login when a certificate verification failure occurs, which allows remote attackers to obtain credentials by sniffing the network."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-04-18T18:57:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20140218 Re: CVE request: \"imapsync ignores the --tls switch and sends my authentication plaintext.\"", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2014/q1/378"}, {"name": "[oss-security] 20140217 CVE request: \"imapsync ignores the --tls switch and sends my authentication plaintext.\"", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2014/q1/367"}, {"name": "FEDORA-2014-2505", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128293.html"}, {"name": "[imapsync_list] 20140122 Re: [imapsync] Upon certificate issues STARTTLS is ignored and the password sent in plaintext (#15)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.linux-france.org/prj/imapsync_list/msg01910.html"}, {"name": "[imapsync_list] 20140120 Re: [imapsync] STARTTLS support (#15)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.linux-france.org/prj/imapsync_list/msg01907.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/imapsync/imapsync/issues/15"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.mageia.org/show_bug.cgi?id=12770"}, {"name": "MDVSA-2014:060", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:060"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-2014", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "imapsync before 1.584, when running with the --tls option, attempts a cleartext login when a certificate verification failure occurs, which allows remote attackers to obtain credentials by sniffing the network."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20140218 Re: CVE request: \"imapsync ignores the --tls switch and sends my authentication plaintext.\"", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q1/378"}, {"name": "[oss-security] 20140217 CVE request: \"imapsync ignores the --tls switch and sends my authentication plaintext.\"", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q1/367"}, {"name": "FEDORA-2014-2505", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128293.html"}, {"name": "[imapsync_list] 20140122 Re: [imapsync] Upon certificate issues STARTTLS is ignored and the password sent in plaintext (#15)", "refsource": "MLIST", "url": "http://www.linux-france.org/prj/imapsync_list/msg01910.html"}, {"name": "[imapsync_list] 20140120 Re: [imapsync] STARTTLS support (#15)", "refsource": "MLIST", "url": "http://www.linux-france.org/prj/imapsync_list/msg01907.html"}, {"name": "https://github.com/imapsync/imapsync/issues/15", "refsource": "CONFIRM", "url": "https://github.com/imapsync/imapsync/issues/15"}, {"name": "https://bugs.mageia.org/show_bug.cgi?id=12770", "refsource": "CONFIRM", "url": "https://bugs.mageia.org/show_bug.cgi?id=12770"}, {"name": "MDVSA-2014:060", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:060"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-2014", "datePublished": "2014-04-18T19:00:00", "dateReserved": "2014-02-17T00:00:00", "dateUpdated": "2014-04-18T18:57:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:imapsync_project:imapsync:*:*:*:*:*:*:*:*", "matchCriteriaId": "56905459-0B35-43B8-8C47-FBA9139EA823", "versionEndIncluding": "1.580", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.53:*:*:*:*:*:*:*", "matchCriteriaId": "B40979AF-EB6A-46EB-99E4-D701581ED1BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.500:*:*:*:*:*:*:*", "matchCriteriaId": "5474AB1C-7C65-4DBA-84FC-25225ED0D1F5", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.504:*:*:*:*:*:*:*", "matchCriteriaId": "FAF07F71-64E1-4C03-990B-125F65BE1755", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.508:*:*:*:*:*:*:*", "matchCriteriaId": "8E69E9B3-6B60-42FC-BF19-5D03C18C2D87", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.516:*:*:*:*:*:*:*", "matchCriteriaId": "89F4D622-A8B7-4694-8299-6CD2A7CC4BC6", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.518:*:*:*:*:*:*:*", "matchCriteriaId": "561963EC-FC73-4284-91CB-D314EE02B3E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.525:*:*:*:*:*:*:*", "matchCriteriaId": "B0BECF9F-1286-4549-8C60-1956024E0662", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.542:*:*:*:*:*:*:*", "matchCriteriaId": "E29744AC-E2CC-4C1E-8C06-8FD13CD44605", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.547:*:*:*:*:*:*:*", "matchCriteriaId": "F9847527-D696-4BEC-A4D7-38ED38AB2C24", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.554:*:*:*:*:*:*:*", "matchCriteriaId": "2DCD5E84-F077-4690-A25E-A026531FE866", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.558:*:*:*:*:*:*:*", "matchCriteriaId": "8BDBB7C4-28E5-4C04-B55B-FC91E96CA0CE", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.564:*:*:*:*:*:*:*", "matchCriteriaId": "A74F9B7A-6DAA-4ECA-8113-4629C7FDD987", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.567:*:*:*:*:*:*:*", "matchCriteriaId": "A525B607-E517-4CAD-80F1-053B8F8AB659", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.569:*:*:*:*:*:*:*", "matchCriteriaId": "AFE68C11-2954-4C9E-8439-CB72D051A12A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "imapsync before 1.584, when running with the --tls option, attempts a cleartext login when a certificate verification failure occurs, which allows remote attackers to obtain credentials by sniffing the network."}, {"lang": "es", "value": "imapsync anterior a 1.584, cuando funciona con la opci\u00f3n --tls, intenta un inicio de sesi\u00f3n en texto claro cuando existe un fallo de de verificaci\u00f3n de certificado, lo que permite a atacantes remotos obtener credenciales escuchando la red."}], "id": "CVE-2014-2014", "lastModified": "2023-06-07T13:59:55.603", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-04-18T22:14:35.980", "references": [{"source": "cve@mitre.org", "url": "http://seclists.org/oss-sec/2014/q1/367"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://seclists.org/oss-sec/2014/q1/378"}, {"source": "cve@mitre.org", "url": "http://www.linux-france.org/prj/imapsync_list/msg01907.html"}, {"source": "cve@mitre.org", "url": "http://www.linux-france.org/prj/imapsync_list/msg01910.html"}, {"source": "cve@mitre.org", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:060"}, {"source": "cve@mitre.org", "url": "https://bugs.mageia.org/show_bug.cgi?id=12770"}, {"source": "cve@mitre.org", "url": "https://github.com/imapsync/imapsync/issues/15"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128293.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-255"}], "source": "nvd@nist.gov", "type": "Primary"}]}