CVE-2021-20247Improper Input Validation in Project Mbsync

CWE-20Improper Input ValidationCWE-22Path Traversal5 documents5 sources
Severity
7.4HIGHNVD
EPSS
1.4%
top 19.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Isync Project IsyncMbsync Project MbsyncIsync Mbsync+3 more
Timeline
PublishedFeb 23
Latest updateMay 24

Description

A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of the mailbox names returned by IMAP LIST/LSUB do not occur allowing a malicious or compromised server to use specially crafted mailbox names containing '..' path components to access data outside the designated mailbox on the opposite end of the synchronization channel. The highest threat from this vulnerability is to data confidentiality and integrity.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages4 packages

NVDmbsync_project/mbsync1.4.01.4.1+1
CVEListV5isync/mbsyncbefore 1.35, before 1.4.1+1
Debianisync_project/isync< 1.3.0-2.1+3

Also affects: Debian Linux 9.0, Fedora 32, 33

🔴Vulnerability Details

3
GHSA
GHSA-5cp5-w68m-9w38: A flaw was found in mbsync before v12022-05-24
CVEList
CVE-2021-20247: A flaw was found in mbsync before v12021-02-23
OSV
CVE-2021-20247: A flaw was found in mbsync before v12021-02-23

📋Vendor Advisories

1
Debian
CVE-2021-20247: isync - A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of the mailbox ...2021
CVE-2021-20247 — Improper Input Validation | cvebase