cnvd - cnvd-2018-17513

CNVD-2018-17513

Vulnerability from cnvd - Published: 2018-09-05

Title

GNOME evolution-data-server IMAPx组件信息泄露漏洞

Description

GNOME evolution-data-server是GNOME项目的一套用于Linux下Gnome桌面环境的邮件数据服务器。IMAPx是其中的一个用于处理邮件和文件夹的组件。 GNOME evolution-data-server 3.21.2之前版本中的IMAPx组件的camel/providers/imapx/camel-imapx-server.c文件存在信息泄露漏洞，该漏洞源于当服务器未能使用STARTTLS时，程序依然会发送带有敏感信息的明文数据。远程攻击者可通过嗅探网络利用该漏洞获取敏感信息。

Severity

中

Patch Name

GNOME evolution-data-server IMAPx组件信息泄露漏洞的补丁

Patch Description

GNOME evolution-data-server是GNOME项目的一套用于Linux下Gnome桌面环境的邮件数据服务器。IMAPx是其中的一个用于处理邮件和文件夹的组件。 GNOME evolution-data-server 3.21.2之前版本中的IMAPx组件的camel/providers/imapx/camel-imapx-server.c文件存在信息泄露漏洞，该漏洞源于当服务器没有使用STARTTLS时，程序依然会发送带有敏感信息的明文数据。远程攻击者可通过嗅探网络利用该漏洞获取敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/GNOME/evolution-data-server/releases/tag/EVOLUTION_DATA_SERVER_3_21_2

Reference

https://bugzilla.redhat.com/show_bug.cgi?id=1334842 https://github.com/GNOME/evolution-data-server/releases/tag/EVOLUTION_DATA_SERVER_3_21_2 https://gitlab.gnome.org/GNOME/evolution-data-server/blob/master/NEWS#L1022 https://gitlab.gnome.org/GNOME/evolution-data-server/commit/f26a6f67

Impacted products

Name
GNOME evolution-data-server <3.21.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-10727"
    }
  },
  "description": "GNOME evolution-data-server\u662fGNOME\u9879\u76ee\u7684\u4e00\u5957\u7528\u4e8eLinux\u4e0bGnome\u684c\u9762\u73af\u5883\u7684\u90ae\u4ef6\u6570\u636e\u670d\u52a1\u5668\u3002IMAPx\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7528\u4e8e\u5904\u7406\u90ae\u4ef6\u548c\u6587\u4ef6\u5939\u7684\u7ec4\u4ef6\u3002\r\n\r\nGNOME evolution-data-server 3.21.2\u4e4b\u524d\u7248\u672c\u4e2d\u7684IMAPx\u7ec4\u4ef6\u7684camel/providers/imapx/camel-imapx-server.c\u6587\u4ef6\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f53\u670d\u52a1\u5668\u672a\u80fd\u4f7f\u7528STARTTLS\u65f6\uff0c\u7a0b\u5e8f\u4f9d\u7136\u4f1a\u53d1\u9001\u5e26\u6709\u654f\u611f\u4fe1\u606f\u7684\u660e\u6587\u6570\u636e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u55c5\u63a2\u7f51\u7edc\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "discovererName": "unknown",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/GNOME/evolution-data-server/releases/tag/EVOLUTION_DATA_SERVER_3_21_2",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-17513",
  "openTime": "2018-09-05",
  "patchDescription": "GNOME evolution-data-server\u662fGNOME\u9879\u76ee\u7684\u4e00\u5957\u7528\u4e8eLinux\u4e0bGnome\u684c\u9762\u73af\u5883\u7684\u90ae\u4ef6\u6570\u636e\u670d\u52a1\u5668\u3002IMAPx\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7528\u4e8e\u5904\u7406\u90ae\u4ef6\u548c\u6587\u4ef6\u5939\u7684\u7ec4\u4ef6\u3002\r\n\r\nGNOME evolution-data-server 3.21.2\u4e4b\u524d\u7248\u672c\u4e2d\u7684IMAPx\u7ec4\u4ef6\u7684camel/providers/imapx/camel-imapx-server.c\u6587\u4ef6\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f53\u670d\u52a1\u5668\u6ca1\u6709\u4f7f\u7528STARTTLS\u65f6\uff0c\u7a0b\u5e8f\u4f9d\u7136\u4f1a\u53d1\u9001\u5e26\u6709\u654f\u611f\u4fe1\u606f\u7684\u660e\u6587\u6570\u636e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u55c5\u63a2\u7f51\u7edc\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "GNOME evolution-data-server IMAPx\u7ec4\u4ef6\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "GNOME evolution-data-server \u003c3.21.2"
  },
  "referenceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=1334842\r\nhttps://github.com/GNOME/evolution-data-server/releases/tag/EVOLUTION_DATA_SERVER_3_21_2\r\nhttps://gitlab.gnome.org/GNOME/evolution-data-server/blob/master/NEWS#L1022\r\nhttps://gitlab.gnome.org/GNOME/evolution-data-server/commit/f26a6f67",
  "serverity": "\u4e2d",
  "submitTime": "2018-07-24",
  "title": "GNOME evolution-data-server IMAPx\u7ec4\u4ef6\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2016-10727 (GCVE-0-2016-10727)

Vulnerability from cvelistv5 – Published: 2018-07-20 04:00 – Updated: 2024-08-06 03:30

Summary

camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. The server code was intended to report an error and not proceed, but the code was written incorrectly.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/GNOME/evolution-data-server/re…	x_refsource_MISC
	https://gitlab.gnome.org/GNOME/evolution-data-ser…	x_refsource_MISC
	https://bugzilla.redhat.com/show_bug.cgi?id=1334842	x_refsource_MISC
	https://usn.ubuntu.com/3724-1/	vendor-advisoryx_refsource_UBUNTU
	https://gitlab.gnome.org/GNOME/evolution-data-ser…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T03:30:20.132Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/GNOME/evolution-data-server/releases/tag/EVOLUTION_DATA_SERVER_3_21_2"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gitlab.gnome.org/GNOME/evolution-data-server/blob/master/NEWS#L1022"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1334842"
          },
          {
            "name": "USN-3724-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3724-1/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gitlab.gnome.org/GNOME/evolution-data-server/commit/f26a6f67"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-07-19T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. The server code was intended to report an error and not proceed, but the code was written incorrectly."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-07-27T09:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/GNOME/evolution-data-server/releases/tag/EVOLUTION_DATA_SERVER_3_21_2"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gitlab.gnome.org/GNOME/evolution-data-server/blob/master/NEWS#L1022"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1334842"
        },
        {
          "name": "USN-3724-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3724-1/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gitlab.gnome.org/GNOME/evolution-data-server/commit/f26a6f67"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-10727",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. The server code was intended to report an error and not proceed, but the code was written incorrectly."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/GNOME/evolution-data-server/releases/tag/EVOLUTION_DATA_SERVER_3_21_2",
              "refsource": "MISC",
              "url": "https://github.com/GNOME/evolution-data-server/releases/tag/EVOLUTION_DATA_SERVER_3_21_2"
            },
            {
              "name": "https://gitlab.gnome.org/GNOME/evolution-data-server/blob/master/NEWS#L1022",
              "refsource": "MISC",
              "url": "https://gitlab.gnome.org/GNOME/evolution-data-server/blob/master/NEWS#L1022"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1334842",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1334842"
            },
            {
              "name": "USN-3724-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3724-1/"
            },
            {
              "name": "https://gitlab.gnome.org/GNOME/evolution-data-server/commit/f26a6f67",
              "refsource": "MISC",
              "url": "https://gitlab.gnome.org/GNOME/evolution-data-server/commit/f26a6f67"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2016-10727",
    "datePublished": "2018-07-20T04:00:00",
    "dateReserved": "2018-07-19T00:00:00",
    "dateUpdated": "2024-08-06T03:30:20.132Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-17513

CVE-2016-10727 (GCVE-0-2016-10727)

Tags

Sightings

Nomenclature