CVE-2021-20247
published 2021-02-23CVE-2021-20247: A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of the mailbox names returned by IMAP LIST/LSUB do not occur allowing a malicious or…
PriorityP346high7.4CVSS 3.1
AVNACHPRNUINSUCHIHAN
EPSS
1.88%
76.8th percentile
A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of the mailbox names returned by IMAP LIST/LSUB do not occur allowing a malicious or compromised server to use specially crafted mailbox names containing '..' path components to access data outside the designated mailbox on the opposite end of the synchronization channel. The highest threat from this vulnerability is to data confidentiality and integrity.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | isync | < isync 1.3.0-2.1 (bookworm) | isync 1.3.0-2.1 (bookworm) |
| fedoraproject | extra_packages_for_enterprise_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| isync | mbsync | — | — |
| isync | mbsync | — | — |
| isync_project | isync | >= 0 < 1.3.0-2.1 | 1.3.0-2.1 |
| isync_project | isync | >= 0 < 1.3.0-2.1 | 1.3.0-2.1 |
| isync_project | isync | >= 0 < 1.3.0-2.1 | 1.3.0-2.1 |
| isync_project | isync | >= 0 < 1.3.0-2.1 | 1.3.0-2.1 |
| mbsync_project | mbsync | < 1.3.5 | 1.3.5 |
| mbsync_project | mbsync | >= 1.4.0 < 1.4.1 | 1.4.1 |
CVSS provenance
nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv7.4HIGH
vendor_debian7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5cp5-w68m-9w38: A flaw was found in mbsync before v1
ghsa_unreviewed·2022-05-24
CVE-2021-20247 [HIGH] CWE-20 GHSA-5cp5-w68m-9w38: A flaw was found in mbsync before v1
A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of the mailbox names returned by IMAP LIST/LSUB do not occur allowing a malicious or compromised server to use specially crafted mailbox names containing '..' path components to access data outside the designated mailbox on the opposite end of the synchronization channel. The highest threat from this vulnerability is to data confidentiality and integrity.
OSV
CVE-2021-20247: A flaw was found in mbsync before v1
osv·2021-02-23·CVSS 7.4
CVE-2021-20247 [HIGH] CVE-2021-20247: A flaw was found in mbsync before v1
A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of the mailbox names returned by IMAP LIST/LSUB do not occur allowing a malicious or compromised server to use specially crafted mailbox names containing '..' path components to access data outside the designated mailbox on the opposite end of the synchronization channel. The highest threat from this vulnerability is to data confidentiality and integrity.
Debian
CVE-2021-20247: isync - A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of the mailbox ...
vendor_debian·2021·CVSS 7.4
CVE-2021-20247 [HIGH] CVE-2021-20247: isync - A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of the mailbox ...
A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of the mailbox names returned by IMAP LIST/LSUB do not occur allowing a malicious or compromised server to use specially crafted mailbox names containing '..' path components to access data outside the designated mailbox on the opposite end of the synchronization channel. The highest threat from this vulnerability is to data confidentiality and integrity.
Scope: local
bookworm: resolved (fixed in 1.3.0-2.1)
bullseye: resolved (fixed in 1.3.0-2.1)
forky: resolved (fixed in 1.3.0-2.1)
sid: resolved (fixed in 1.3.0-2.1)
trixie: resolved (fixed in 1.3.0-2.1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugzilla.redhat.com/show_bug.cgi?id=1928963https://lists.debian.org/debian-lts-announce/2022/07/msg00001.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CAXQLCK35QGRCRENRTGKJO4VVZGUXUJJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVDEBZQJMWDW5JFK4NTHH6DAFNAZTESW/https://security.gentoo.org/glsa/202208-15https://www.openwall.com/lists/oss-security/2021/02/22/1https://bugzilla.redhat.com/show_bug.cgi?id=1928963https://lists.debian.org/debian-lts-announce/2022/07/msg00001.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CAXQLCK35QGRCRENRTGKJO4VVZGUXUJJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVDEBZQJMWDW5JFK4NTHH6DAFNAZTESW/https://security.gentoo.org/glsa/202208-15https://www.openwall.com/lists/oss-security/2021/02/22/1
2021-02-23
Published