This security bulletin contains one low risk vulnerability.
Exploit availability: NoDescription
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in
some circumstances, such as a certain situation with IMAP and PREAUTH. A remote attacker with ability to intercept network traffic can gain access to sensitive information.
Install updates from vendor's website.Vulnerable software versions
Fetchmail: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.4.12, 6.4.13, 6.4.14, 6.4.15, 6.4.16, 6.4.17, 6.4.18, 6.4.19, 6.4.20, 6.4.21CPE2.3
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.