Lucene search

[email protected]CVE-2014-2576

HistoryOct 15, 2014 - 2:55 p.m.

CVE-2014-2576

2014-10-1514:55:06

CWE-310

[email protected]

web.nvd.nist.gov

cve-2014-2576

claws mail

security vulnerability

curlopt_ssl_verifyhost

mitm

nvd

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

6.5 Medium

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

56.9%

JSON

plugins/rssyl/feed.c in Claws Mail before 3.10.0 disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.

Affected configurations

NVD

Node

claws-mailclaws-mailRange≤3.9.3

Node

opensuseopensuseMatch12.3

opensuseopensuseMatch13.1

CPENameOperatorVersion
claws-mail:claws-mailclaws-maille3.9.3

CPE	Name	Operator	Version
claws-mail:claws-mail	claws-mail	le	3.9.3

References

lists.opensuse.org/opensuse-updates/2014-10/msg00015.html

seclists.org/oss-sec/2014/q1/636

secunia.com/advisories/60422

sourceforge.net/p/claws-mail/news/2014/05/claws-mail-3100-unleashed/

www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3106

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

6.5 Medium

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

56.9%

JSON

Related for CVE-2014-2576

prion1 debiancve1 cvelist1 nessus1 ubuntucve1 mageia1 nvd1 openvas1