CVE-2016-10727Sensitive Information Exposure in Evolution

CWE-200Sensitive Information ExposureCWE-393Return of Wrong Status CodeCWE-201Sensitive Info Insertion into Sent Data8 documents8 sources
Severity
9.8CRITICALNVD
EPSS
1.0%
top 22.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Gnome Evolution-data-serverGnome EvolutionCanonical Ubuntu Linux
Timeline
PublishedJul 20
Latest updateMay 14

Description

camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. The server code was intended to report an error and not proceed, but the code was written incorrectly.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

Debiangnome/evolution-data-server< 3.22.0-2+3
NVDgnome/evolution< 3.21.2

Also affects: Ubuntu Linux 14.04, 16.04

Patches

Patch: bugzilla.redhat.comPatch: gitlab.gnome.orgPatch: bugzilla.redhat.com

🔴Vulnerability Details

3
GHSA
GHSA-7xwg-339m-2rw9: camel/providers/imapx/camel-imapx-server2022-05-14
CVEList
CVE-2016-10727: camel/providers/imapx/camel-imapx-server2018-07-20
OSV
CVE-2016-10727: camel/providers/imapx/camel-imapx-server2018-07-20

📋Vendor Advisories

3
Ubuntu
Evolution Data Server vulnerability2018-07-26
Red Hat
evolution-data-server: IMAPx Component Information Disclosure2016-05-10
Debian
CVE-2016-10727: evolution-data-server - camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolu...2016

💬Community

1
Bugzilla
CVE-2016-10727 evolution-data-server: IMAPx Component Information Disclosure2018-07-30
CVE-2016-10727 — Sensitive Information Exposure | cvebase