CVE-2019-3890 — Improper Certificate Validation in Evolution-ews

CWE-295 — Improper Certificate Validation CWE-296 — Improper Following of a Certificate's Chain of Trust7 documents6 sources

Severity

8.1HIGHNVD

EPSS

0.1%

top 71.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

THE Gnome Project Evolution-ews Gnome Evolution-ews Debian Evolution-ews +1 more

Timeline

PublishedAug 1

Latest updateMay 24

Description

It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates. An attacker could abuse this flaw to get confidential information by tricking the user into connecting to a fake server without the user noticing the difference.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages4 packages

▶NVDgnome/evolution-ews< 3.31.3

▶debiandebian/evolution-ews< evolution-ews 3.30.5-1.1 (bookworm)

▶Debianthe_gnome_project/evolution-ews< 3.30.5-1.1+3

▶CVEListV5the_gnome_project/evolution-ews3.31.3

Also affects: Enterprise Linux 7.0, 8.0

🔴Vulnerability Details

GHSA

GHSA-mcq7-35g4-3c5q: It was discovered evolution-ews before 3↗2022-05-24

▶

OSV

CVE-2019-3890: It was discovered evolution-ews before 3↗2019-08-01

▶

📋Vendor Advisories

Red Hat

evolution-ews: all certificate errors ignored if error is ignored during initial account setup in gnome-online-accounts↗2019-02-15

▶

Debian

CVE-2019-3890: evolution-ews - It was discovered evolution-ews before 3.31.3 does not check the validity of SSL...↗2019

▶

💬Community

Bugzilla

CVE-2019-3890 evolution-ews: all certificate errors ignored if error is ignored during initial account setup in gnome-online-accounts↗2019-02-18

▶

Bugzilla

CVE-2019-3890 evolution-ews: all certificate errors ignored if configured to ignore an initial error in gnome-online-accounts creation resulting in the connection open to being viewed and modified. [f↗2019-02-18

▶