CVE-2020-37248

Source
https://cve.org/CVERecord?id=CVE-2020-37248
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-37248.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-37248
Downstream
Published
2026-06-08T16:16:33.257Z
Modified
2026-07-09T00:21:52.883240Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
Summary
[none]
Details

OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.

References

Affected packages

Git / github.com/offlineimap/offlineimap3

Affected ranges

Type
GIT
Repo
https://github.com/offlineimap/offlineimap3
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.0.3"
        }
    ]
}

Affected versions

Other
Before_UI_reorg
Before_UI_rewrite
Final_Arch_version
Last_Subversion_point
RELEASE_${PACKAGE}_${VERSION}
Working_post-imaplib_removal
last-darcs-commit
DEBIAN_offlineimap_4.*
DEBIAN_offlineimap_4.0.10
DEBIAN_offlineimap_4.0.11
DEBIAN_offlineimap_4.0.12
DEBIAN_offlineimap_4.0.15
DEBIAN_offlineimap_4.0.16
DEBIAN_offlineimap_5.*
DEBIAN_offlineimap_5.99.0
DEBIAN_offlineimap_5.99.1
DEBIAN_offlineimap_5.99.2
DEBIAN_offlineimap_5.99.3
DEBIAN_offlineimap_5.99.4
REL1.*
REL1.0.4
REL2.*
REL2.0.0
REL3.*
REL3.0.0
REL3.1.0
REL3.2.0
REL3.99.0
REL4.*
REL4.0.0
REL4.0.7
RELEASE_offlineimap_4.*
RELEASE_offlineimap_4.0.16
RELEASE_offlineimap_5.*
RELEASE_offlineimap_5.99.0
RELEASE_offlineimap_5.99.1
RELEASE_offlineimap_5.99.2
RELEASE_offlineimap_5.99.3
RELEASE_offlineimap_5.99.4
debian/5.*
debian/5.99.10
debian/5.99.11
debian/5.99.12
debian/5.99.15
debian/5.99.5
debian/5.99.6
debian/5.99.7
debian/5.99.8
debian/5.99.9
debian/6.*
debian/6.0.0
debian/6.0.1
debian/6.0.2
debian/6.0.3
debian/6.1.0
debian/6.1.1
debian/6.1.2
debian/6.2.0.1
debian/6.2.0.2
imaplib2-v2.*
imaplib2-v2.100
imaplib2-v2.101
v6.*
v6.3.0
v6.3.1
v6.3.2
v6.3.2-rc1
v6.3.2-rc2
v6.3.2-rc3
v6.3.3
v6.3.3-rc1
v6.3.3-rc2
v6.3.3-rc3
v6.3.4
v6.3.4-rc1
v6.3.4-rc2
v6.3.4-rc3
v6.3.4-rc4
v6.3.5-rc1
v6.3.5-rc2
v6.4.0
v6.4.3
v6.4.4
v6.5.0
v6.5.1
v6.5.1.1
v6.5.1.2
v6.5.2.1
v6.5.2.1-rc1
v6.5.3
v6.5.3.1
v6.5.5
v6.5.5-rc1
v6.5.5-rc2
v6.5.5-rc3
v6.5.6-rc1
v6.5.7
v6.5.7-rc3
v6.5.7-rc4
v6.6.0
v6.6.0-rc1
v6.6.0-rc2
v6.6.0-rc3
v6.6.1
v6.7.0
v6.7.0-rc1
v6.7.0-rc2
v7.*
v7.0.0
v7.0.0-rc1
v7.0.0-rc2
v7.0.0-rc3
v7.0.0-rc4
v7.0.0-rc5
v7.0.1
v7.0.10
v7.0.11
v7.0.12
v7.0.13
v7.0.14
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.0.6
v7.0.7
v7.0.8
v7.0.9
v7.1.0
v7.1.1
v7.1.2
v7.1.3
v7.1.4
v7.1.5
v7.2.0
v7.2.1
v7.2.2
v7.2.3
v7.2.4
v7.3.0
v8.*
v8.0.1
v8.0.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-37248.json"