---

CVE-2020-15954 - log back

CVE-2020-15954 edited at 18 Nov 2021 12:52:04
Severity	- Low + Medium

CVE-2020-15954 edited at 18 Nov 2021 12:47:36
References	- https://kde.org/info/security/advisory-20211118-1.txt + https://nostarttls.secvuln.info/ https://bugs.kde.org/show_bug.cgi?id=423426 + https://invent.kde.org/pim/kdepim-runtime/-/commit/bd64ab29116aa7318fdee7f95878ff97580162f2 + https://invent.kde.org/pim/kmail-account-wizard/-/commit/a64d80e523edce7d3d59c26834973418fae042f6 + https://invent.kde.org/pim/kdepim-runtime/-/commit/35447bd04e8c12afac524e1c4556ef3db088e014 - https://invent.kde.org/pim/ksmtp/-/commit/b33f06397ea2f02ebfa26b77862fcb7164b4ba0c - https://invent.kde.org/pim/ksmtp/-/commit/38a4c09427f3fdc04f9893f8eda3f6807d9a3203 - https://invent.kde.org/pim/ksmtp/-/commit/60f73c69758fe40a027a8e7402127d085f18545a - https://invent.kde.org/pim/ksmtp/-/commit/77a366023715745a0677a93b6e3cb69856f8f299 - https://invent.kde.org/pim/ksmtp/-/commit/5d96c216281b88e1ceb2f6e7fc8b68c593674251 - https://invent.kde.org/pim/kmailtransport/-/commit/b49ee72009620f152aaab1f592704e56e3be01f5
Notes	- Workaround - ========== - - Make sure that "Server requires authentication" is set.

CVE-2020-15954 edited at 18 Nov 2021 12:43:07

Description

- A security issue has been found in KMail and ksmtp. Encryption is not used to connect to a SMTP server, if "Server requires authentication" is not checked. It causes KMail to send any mail in cleartext. From the user point of view it seems like the connection should be encrypted. + KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communication during times when the UI indicates that encryption is in use.

CVE-2020-15954 edited at 18 Nov 2021 12:37:02
Severity	- Unknown + Low
Remote	- Unknown + Remote
Type	- Unknown + Silent downgrade
Description	+ A security issue has been found in KMail and ksmtp. Encryption is not used to connect to a SMTP server, if "Server requires authentication" is not checked. It causes KMail to send any mail in cleartext. From the user point of view it seems like the connection should be encrypted.
References	+ https://kde.org/info/security/advisory-20211118-1.txt + https://bugs.kde.org/show_bug.cgi?id=423426 + https://invent.kde.org/pim/ksmtp/-/commit/b33f06397ea2f02ebfa26b77862fcb7164b4ba0c + https://invent.kde.org/pim/ksmtp/-/commit/38a4c09427f3fdc04f9893f8eda3f6807d9a3203 + https://invent.kde.org/pim/ksmtp/-/commit/60f73c69758fe40a027a8e7402127d085f18545a + https://invent.kde.org/pim/ksmtp/-/commit/77a366023715745a0677a93b6e3cb69856f8f299 + https://invent.kde.org/pim/ksmtp/-/commit/5d96c216281b88e1ceb2f6e7fc8b68c593674251 + https://invent.kde.org/pim/kmailtransport/-/commit/b49ee72009620f152aaab1f592704e56e3be01f5
Notes	+ Workaround + ========== + + Make sure that "Server requires authentication" is set.

CVE-2020-15954 created at 18 Nov 2021 12:31:41