CVE-2021-26911 - OpenCVE

core/imap/MCIMAPSession.cpp in Canary Mail before 3.22 has Missing SSL Certificate Validation for IMAP in STARTTLS mode.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Canarymail	Canary Mail
Libmailcore	Mailcore2

Configuration 1 [-]

OR	cpe:2.3:a:canarymail:canary_mail:3.20:::::iphone_os::
	cpe:2.3:a:canarymail:canary_mail:3.21:::::iphone_os::

Configuration 2 [-]

cpe:2.3:a:libmailcore:mailcore2:0.6.4:*:*:*:*:*:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2021/02/17/3	Mailing List Patch Third Party Advisory
https://apps.apple.com/us/app/canary-mail/id1236045954	Product Third Party Advisory
https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/	Exploit Third Party Advisory
https://census-labs.com/news/category/advisories/	Third Party Advisory
https://github.com/canarymail/mailcore2/commit/45acb4efbcaa57a20ac5127dc976538671fce018	Patch Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/02/17/3	Mailing List Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-02-17T20:54:08

Updated: 2021-02-17T21:06:19

Reserved: 2021-02-08T00:00:00

Link: CVE-2021-26911

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-02-17T21:15:12.900

Modified: 2021-02-24T20:07:14.727

Link: CVE-2021-26911

JSON object: View

Redhat Information

No data.

CWE

CWE-295

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "core/imap/MCIMAPSession.cpp in Canary Mail before 3.22 has Missing SSL Certificate Validation for IMAP in STARTTLS mode."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-02-17T21:06:19", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://apps.apple.com/us/app/canary-mail/id1236045954"}, {"tags": ["x_refsource_MISC"], "url": "https://census-labs.com/news/category/advisories/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.openwall.com/lists/oss-security/2021/02/17/3"}, {"tags": ["x_refsource_MISC"], "url": "https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/canarymail/mailcore2/commit/45acb4efbcaa57a20ac5127dc976538671fce018"}, {"name": "[oss-security] 20210217 CVE-2021-26911: Canary Mail with IMAP STARTTLS missing certificate validation", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/02/17/3"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-26911", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "core/imap/MCIMAPSession.cpp in Canary Mail before 3.22 has Missing SSL Certificate Validation for IMAP in STARTTLS mode."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://apps.apple.com/us/app/canary-mail/id1236045954", "refsource": "MISC", "url": "https://apps.apple.com/us/app/canary-mail/id1236045954"}, {"name": "https://census-labs.com/news/category/advisories/", "refsource": "MISC", "url": "https://census-labs.com/news/category/advisories/"}, {"name": "https://www.openwall.com/lists/oss-security/2021/02/17/3", "refsource": "MISC", "url": "https://www.openwall.com/lists/oss-security/2021/02/17/3"}, {"name": "https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/", "refsource": "MISC", "url": "https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/"}, {"name": "https://github.com/canarymail/mailcore2/commit/45acb4efbcaa57a20ac5127dc976538671fce018", "refsource": "CONFIRM", "url": "https://github.com/canarymail/mailcore2/commit/45acb4efbcaa57a20ac5127dc976538671fce018"}, {"name": "[oss-security] 20210217 CVE-2021-26911: Canary Mail with IMAP STARTTLS missing certificate validation", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/02/17/3"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-26911", "datePublished": "2021-02-17T20:54:08", "dateReserved": "2021-02-08T00:00:00", "dateUpdated": "2021-02-17T21:06:19", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canarymail:canary_mail:3.20:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "8A0F96F5-488B-485C-93D9-0DFE7DD732C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:canarymail:canary_mail:3.21:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "A3D232FE-4500-4FD5-B7B0-901134B488E2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libmailcore:mailcore2:0.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "973E27F1-AE98-4C43-BE54-C4A453EEF046", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "core/imap/MCIMAPSession.cpp in Canary Mail before 3.22 has Missing SSL Certificate Validation for IMAP in STARTTLS mode."}, {"lang": "es", "value": "El archivo core/imap/MCIMAPSession.cpp en Canary Mail versiones anteriores a 3.22, tiene una Falta de Comprobaci\u00f3n de Certificado SSL para IMAP en modo STARTTLS"}], "id": "CVE-2021-26911", "lastModified": "2021-02-24T20:07:14.727", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-17T21:15:12.900", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/02/17/3"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://apps.apple.com/us/app/canary-mail/id1236045954"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://census-labs.com/news/category/advisories/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/canarymail/mailcore2/commit/45acb4efbcaa57a20ac5127dc976538671fce018"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2021/02/17/3"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}