Vulnerability Details CVE-2021-39361
In GNOME evolution-rss through 0.3.96, network-soup.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 29.7%
CVSS Severity
CVSS v3 Score 5.9
CVSS v2 Score 4.3
References
- https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/
- https://gitlab.gnome.org/GNOME/evolution-rss/-/issues/11
- https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/
- https://gitlab.gnome.org/GNOME/evolution-rss/-/issues/11
Products affected by CVE-2021-39361
-
cpe:2.3:a:gnome:evolution-rss:0.0.8
-
cpe:2.3:a:gnome:evolution-rss:0.1.0
-
cpe:2.3:a:gnome:evolution-rss:0.1.2
-
cpe:2.3:a:gnome:evolution-rss:0.1.4
-
cpe:2.3:a:gnome:evolution-rss:0.1.4.1
-
cpe:2.3:a:gnome:evolution-rss:0.2.0
-
cpe:2.3:a:gnome:evolution-rss:0.2.0.1
-
cpe:2.3:a:gnome:evolution-rss:0.2.1
-
cpe:2.3:a:gnome:evolution-rss:0.2.2
-
cpe:2.3:a:gnome:evolution-rss:0.2.3
-
cpe:2.3:a:gnome:evolution-rss:0.2.4
-
cpe:2.3:a:gnome:evolution-rss:0.2.5
-
cpe:2.3:a:gnome:evolution-rss:0.3.91
-
cpe:2.3:a:gnome:evolution-rss:0.3.92
-
cpe:2.3:a:gnome:evolution-rss:0.3.93
-
cpe:2.3:a:gnome:evolution-rss:0.3.94
-
cpe:2.3:a:gnome:evolution-rss:0.3.95
-
cpe:2.3:a:gnome:evolution-rss:0.3.96