cbcvebase.
CVE-2021-20247
published 2021-02-23

CVE-2021-20247: A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of the mailbox names returned by IMAP LIST/LSUB do not occur allowing a malicious or…

PriorityP346high7.4CVSS 3.1
AVNACHPRNUINSUCHIHAN
EPSS
1.88%
76.8th percentile
A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of the mailbox names returned by IMAP LIST/LSUB do not occur allowing a malicious or compromised server to use specially crafted mailbox names containing '..' path components to access data outside the designated mailbox on the opposite end of the synchronization channel. The highest threat from this vulnerability is to data confidentiality and integrity.

Affected

13 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianisync< isync 1.3.0-2.1 (bookworm)isync 1.3.0-2.1 (bookworm)
fedoraprojectextra_packages_for_enterprise_linux
fedoraprojectfedora
fedoraprojectfedora
isyncmbsync
isyncmbsync
isync_projectisync>= 0 < 1.3.0-2.11.3.0-2.1
isync_projectisync>= 0 < 1.3.0-2.11.3.0-2.1
isync_projectisync>= 0 < 1.3.0-2.11.3.0-2.1
isync_projectisync>= 0 < 1.3.0-2.11.3.0-2.1
mbsync_projectmbsync< 1.3.51.3.5
mbsync_projectmbsync>= 1.4.0 < 1.4.11.4.1

CVSS provenance

nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv7.4HIGH
vendor_debian7.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.