CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 1CVE-2020-16117 – evolution-data-server: NULL pointer dereference related to imapx_free_capability and imapx_connect_to_server
https://notcve.org/view.php?id=CVE-2020-16117
29 Jul 2020 — In GNOME evolution-data-server before 3.35.91, a malicious server can crash the mail client with a NULL pointer dereference by sending an invalid (e.g., minimal) CAPABILITY line on a connection attempt. This is related to imapx_free_capability and imapx_connect_to_server. En GNOME evolution-data-server versiones anteriores a 3.35.91, un servidor malicioso puede bloquear el cliente de correo con una desreferencia del puntero NULL mediante el envío de una línea CAPABILITY no válida (por ejemplo, mínima) en un... • https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/2cc39592b532cf0dc994fd3694b8e6bf924c9ab5 • CWE-476: NULL Pointer Dereference •
CVSS: 5.9EPSS: 4%CPEs: 7EXPL: 1CVE-2020-14928 – evolution-data-server: Response injection via STARTTLS in SMTP and POP3
https://notcve.org/view.php?id=CVE-2020-14928
17 Jul 2020 — evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that affects SMTP and POP3. When a server sends a "begin TLS" response, eds reads additional data and evaluates it in a TLS context, aka "response injection." evolution-data-server (eds) versiones hasta 3.36.3, presenta un problema de almacenamiento en búfer STARTTLS que afecta a SMTP y POP3. Cuando un servidor envía una respuesta "begin TLS", eds lee datos adicionales y los evalúa en un contexto TLS, también se conoce como "response ... • https://bugzilla.suse.com/show_bug.cgi?id=1173910 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2013-4166 – evolution: incorrect selection of recipient gpg public key for encrypted mail
https://notcve.org/view.php?id=CVE-2013-4166
01 Aug 2013 — The gpg_ctx_add_recipient function in camel/camel-gpg-context.c in GNOME Evolution 3.8.4 and earlier and Evolution Data Server 3.9.5 and earlier does not properly select the GPG key to use for email encryption, which might cause the email to be encrypted with the wrong key and allow remote attackers to obtain sensitive information. La función gpg_ctx_add_recipient en el archivo camel/camel-gpg-context.c en GNOME Evolution versiones 3.8.4 y anteriores y Evolution Data Server versiones 3.9.5 y anteriores, no ... • http://rhn.redhat.com/errata/RHSA-2013-1540.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-697: Incorrect Comparison •
CVSS: 9.1EPSS: 3%CPEs: 2EXPL: 0CVE-2009-0582 – evolution-data-server: insufficient checking of NTLM authentication challenge packets
https://notcve.org/view.php?id=CVE-2009-0582
14 Mar 2009 — The ntlm_challenge function in the NTLM SASL authentication mechanism in camel/camel-sasl-ntlm.c in Camel in Evolution Data Server (aka evolution-data-server) 2.24.5 and earlier, and 2.25.92 and earlier 2.25.x versions, does not validate whether a certain length value is consistent with the amount of data in a challenge packet, which allows remote mail servers to read information from the process memory of a client, or cause a denial of service (client crash), via an NTLM authentication type 2 packet with a... • http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html • CWE-20: Improper Input Validation •