OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.
{ "binaries": [ { "binary_name": "offlineimap", "binary_version": "7.3.3+dfsg1-1+0.0~git20211018.e64c254+dfsg-1" }, { "binary_name": "offlineimap3", "binary_version": "0.0~git20211018.e64c254+dfsg-1" } ] }
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-37248.json"
{ "binaries": [ { "binary_name": "offlineimap", "binary_version": "7.3.3+dfsg1-1+0.0~git20231218.d29a4dc+dfsg-3ubuntu1" }, { "binary_name": "offlineimap3", "binary_version": "0.0~git20231218.d29a4dc+dfsg-3ubuntu1" } ] }
{ "binaries": [ { "binary_name": "offlineimap", "binary_version": "7.3.3+dfsg1-1+0.0~git20240826.db34745+dfsg-2ubuntu1" }, { "binary_name": "offlineimap3", "binary_version": "0.0~git20240826.db34745+dfsg-2ubuntu1" } ] }
{ "binaries": [ { "binary_name": "offlineimap", "binary_version": "7.3.3+dfsg1-1+0.0~git20240826.db34745+dfsg-2ubuntu2" }, { "binary_name": "offlineimap3", "binary_version": "0.0~git20240826.db34745+dfsg-2ubuntu2" } ] }