MidnightBSD

Advisories for mbsync_project

CVE-2021-20247 MEDIUM

A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of the mailbox names returned by IMAP LIST/LSUB do not occur allowing a malicious or compromised server to use specially crafted mailbox names containing '..' path components to access data outside the designated mailbox on the opposite end of the synchronization channel. The highest threat from this vulnerability is to data confidentiality and integrity.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-22,

Products Affected

Vendor Product Version
fedoraproject fedora 32
mbsync_project mbsync *
fedoraproject fedora 33
debian debian_linux 9.0
fedoraproject extra_packages_for_enterprise_linux 8.0