CVE Catalog

CVE-2020-37248

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.02%

5th percentile - higher than 5% of all known CVEs

Summary

OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, allowing STRIPTLS and man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.

Risk Assessment

The organization is at risk of credential interception by attackers, potentially leading to unauthorized access to user accounts.

Recommendation

It is recommended to upgrade OfflineIMAP to version 8.0.3 or later to mitigate this vulnerability.

Original NVD description (English source)

OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS