Man-in-the-middle attack in GNOME Evolution Data Server - CVE-2016-10727
Published: July 26, 2018 / Updated: July 27, 2018
Vulnerability identifier: #VU14024
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2016-10727
CWE-ID: CWE-300
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Gnome Development Team
Affected software:
GNOME Evolution Data Server
GNOME Evolution Data Server
Detailed vulnerability description
The vulnerability allows an adjacent attacker to conduct man-in-the-middle attack..
The vulnerability exists in the IMAPx component of GNOME Evolution Data Server due to the IMAPx component, as defined in the camel/providers/imapx/camel-imapx-server.c source code file of the affected software, does not support STARTTLS. An adjacent attacker can sniff network traffic between the two systems and gain access to sensitive information, such as the user's password, to conduct further attacks.
How to mitigate CVE-2016-10727
Update to version 3.21.2.