CVE-2020-37248 | THREATINT

Description

OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.

PUBLISHED Reserved 2026-06-08 | Published 2026-06-08 | Updated 2026-06-08 | Assigner mitre

MEDIUM: 6.5CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Problem types

CWE-348 Use of Less Trusted Source

Product status

Default status

unaffected

Any version before 8.0.3

affected

References

www.openwall.com/lists/oss-security/2026/06/08/3

github.com/...ommit/46505c53ef995455d66c685f9ec3ff6ea93dbb74

github.com/OfflineIMAP/offlineimap3/issues/222

github.com/OfflineIMAP/offlineimap/issues/669

pypi.org/project/offlineimap/

cve.org (CVE-2020-37248)

nvd.nist.gov (CVE-2020-37248)

Download JSON