CVE-2014-2014 - OpenCVE

imapsync before 1.584, when running with the --tls option, attempts a cleartext login when a certificate verification failure occurs, which allows remote attackers to obtain credentials by sniffing the network.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Imapsync Project	Imapsync

Configuration 1 [-]

OR	cpe:2.3:a:imapsync_project:imapsync::::::::
	cpe:2.3:a:imapsync_project:imapsync:1.53:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.500:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.504:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.508:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.516:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.518:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.525:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.542:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.547:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.554:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.558:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.564:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.567:::::::*
	cpe:2.3:a:imapsync_project:imapsync:1.569:::::::*

No data.

References

Link	Providers
http://seclists.org/oss-sec/2014/q1/367
http://seclists.org/oss-sec/2014/q1/378
http://www.linux-france.org/prj/imapsync_list/msg01907.html
http://www.linux-france.org/prj/imapsync_list/msg01910.html
http://www.mandriva.com/security/advisories?name=MDVSA-2014:060
https://bugs.mageia.org/show_bug.cgi?id=12770
https://github.com/imapsync/imapsync/issues/15
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128293.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-04-18T19:00:00

Updated: 2024-08-06T09:58:16.179Z

Reserved: 2014-02-17T00:00:00

Link: CVE-2014-2014

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2014-04-18T22:14:35.980

Modified: 2023-06-07T13:59:55.603

Link: CVE-2014-2014

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-01-20T00:00:00", "descriptions": [{"lang": "en", "value": "imapsync before 1.584, when running with the --tls option, attempts a cleartext login when a certificate verification failure occurs, which allows remote attackers to obtain credentials by sniffing the network."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-04-18T18:57:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20140218 Re: CVE request: \"imapsync ignores the --tls switch and sends my authentication plaintext.\"", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2014/q1/378"}, {"name": "[oss-security] 20140217 CVE request: \"imapsync ignores the --tls switch and sends my authentication plaintext.\"", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2014/q1/367"}, {"name": "FEDORA-2014-2505", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128293.html"}, {"name": "[imapsync_list] 20140122 Re: [imapsync] Upon certificate issues STARTTLS is ignored and the password sent in plaintext (#15)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.linux-france.org/prj/imapsync_list/msg01910.html"}, {"name": "[imapsync_list] 20140120 Re: [imapsync] STARTTLS support (#15)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.linux-france.org/prj/imapsync_list/msg01907.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/imapsync/imapsync/issues/15"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.mageia.org/show_bug.cgi?id=12770"}, {"name": "MDVSA-2014:060", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:060"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-2014", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "imapsync before 1.584, when running with the --tls option, attempts a cleartext login when a certificate verification failure occurs, which allows remote attackers to obtain credentials by sniffing the network."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20140218 Re: CVE request: \"imapsync ignores the --tls switch and sends my authentication plaintext.\"", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q1/378"}, {"name": "[oss-security] 20140217 CVE request: \"imapsync ignores the --tls switch and sends my authentication plaintext.\"", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q1/367"}, {"name": "FEDORA-2014-2505", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128293.html"}, {"name": "[imapsync_list] 20140122 Re: [imapsync] Upon certificate issues STARTTLS is ignored and the password sent in plaintext (#15)", "refsource": "MLIST", "url": "http://www.linux-france.org/prj/imapsync_list/msg01910.html"}, {"name": "[imapsync_list] 20140120 Re: [imapsync] STARTTLS support (#15)", "refsource": "MLIST", "url": "http://www.linux-france.org/prj/imapsync_list/msg01907.html"}, {"name": "https://github.com/imapsync/imapsync/issues/15", "refsource": "CONFIRM", "url": "https://github.com/imapsync/imapsync/issues/15"}, {"name": "https://bugs.mageia.org/show_bug.cgi?id=12770", "refsource": "CONFIRM", "url": "https://bugs.mageia.org/show_bug.cgi?id=12770"}, {"name": "MDVSA-2014:060", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:060"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:58:16.179Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20140218 Re: CVE request: \"imapsync ignores the --tls switch and sends my authentication plaintext.\"", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2014/q1/378"}, {"name": "[oss-security] 20140217 CVE request: \"imapsync ignores the --tls switch and sends my authentication plaintext.\"", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2014/q1/367"}, {"name": "FEDORA-2014-2505", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128293.html"}, {"name": "[imapsync_list] 20140122 Re: [imapsync] Upon certificate issues STARTTLS is ignored and the password sent in plaintext (#15)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.linux-france.org/prj/imapsync_list/msg01910.html"}, {"name": "[imapsync_list] 20140120 Re: [imapsync] STARTTLS support (#15)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.linux-france.org/prj/imapsync_list/msg01907.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/imapsync/imapsync/issues/15"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.mageia.org/show_bug.cgi?id=12770"}, {"name": "MDVSA-2014:060", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:060"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-2014", "datePublished": "2014-04-18T19:00:00", "dateReserved": "2014-02-17T00:00:00", "dateUpdated": "2024-08-06T09:58:16.179Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:imapsync_project:imapsync:*:*:*:*:*:*:*:*", "matchCriteriaId": "56905459-0B35-43B8-8C47-FBA9139EA823", "versionEndIncluding": "1.580", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.53:*:*:*:*:*:*:*", "matchCriteriaId": "B40979AF-EB6A-46EB-99E4-D701581ED1BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.500:*:*:*:*:*:*:*", "matchCriteriaId": "5474AB1C-7C65-4DBA-84FC-25225ED0D1F5", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.504:*:*:*:*:*:*:*", "matchCriteriaId": "FAF07F71-64E1-4C03-990B-125F65BE1755", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.508:*:*:*:*:*:*:*", "matchCriteriaId": "8E69E9B3-6B60-42FC-BF19-5D03C18C2D87", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.516:*:*:*:*:*:*:*", "matchCriteriaId": "89F4D622-A8B7-4694-8299-6CD2A7CC4BC6", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.518:*:*:*:*:*:*:*", "matchCriteriaId": "561963EC-FC73-4284-91CB-D314EE02B3E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.525:*:*:*:*:*:*:*", "matchCriteriaId": "B0BECF9F-1286-4549-8C60-1956024E0662", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.542:*:*:*:*:*:*:*", "matchCriteriaId": "E29744AC-E2CC-4C1E-8C06-8FD13CD44605", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.547:*:*:*:*:*:*:*", "matchCriteriaId": "F9847527-D696-4BEC-A4D7-38ED38AB2C24", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.554:*:*:*:*:*:*:*", "matchCriteriaId": "2DCD5E84-F077-4690-A25E-A026531FE866", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.558:*:*:*:*:*:*:*", "matchCriteriaId": "8BDBB7C4-28E5-4C04-B55B-FC91E96CA0CE", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.564:*:*:*:*:*:*:*", "matchCriteriaId": "A74F9B7A-6DAA-4ECA-8113-4629C7FDD987", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.567:*:*:*:*:*:*:*", "matchCriteriaId": "A525B607-E517-4CAD-80F1-053B8F8AB659", "vulnerable": true}, {"criteria": "cpe:2.3:a:imapsync_project:imapsync:1.569:*:*:*:*:*:*:*", "matchCriteriaId": "AFE68C11-2954-4C9E-8439-CB72D051A12A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "imapsync before 1.584, when running with the --tls option, attempts a cleartext login when a certificate verification failure occurs, which allows remote attackers to obtain credentials by sniffing the network."}, {"lang": "es", "value": "imapsync anterior a 1.584, cuando funciona con la opci\u00f3n --tls, intenta un inicio de sesi\u00f3n en texto claro cuando existe un fallo de de verificaci\u00f3n de certificado, lo que permite a atacantes remotos obtener credenciales escuchando la red."}], "id": "CVE-2014-2014", "lastModified": "2023-06-07T13:59:55.603", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-04-18T22:14:35.980", "references": [{"source": "cve@mitre.org", "url": "http://seclists.org/oss-sec/2014/q1/367"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://seclists.org/oss-sec/2014/q1/378"}, {"source": "cve@mitre.org", "url": "http://www.linux-france.org/prj/imapsync_list/msg01907.html"}, {"source": "cve@mitre.org", "url": "http://www.linux-france.org/prj/imapsync_list/msg01910.html"}, {"source": "cve@mitre.org", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:060"}, {"source": "cve@mitre.org", "url": "https://bugs.mageia.org/show_bug.cgi?id=12770"}, {"source": "cve@mitre.org", "url": "https://github.com/imapsync/imapsync/issues/15"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128293.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-255"}], "source": "nvd@nist.gov", "type": "Primary"}]}