CVE-2021-20247 - log back

CVE-2021-20247 edited at 23 Feb 2021 20:05:50
Description
- isync/mbsync didn't validate the mailbox names returned by IMAP LIST/LSUB, which would allow a malicious/compromised server to use specially crafted mailbox names containing '..' path components to access data outside the designated mailbox on the opposite end of the synchronization channel. This is fixed in mbsync versions 1.3.5 and 1.4.1.
+ A security issue was found in isync/mbsync before versions 1.3.5 and 1.4.1. Validations of the mailbox names returned by IMAP LIST/LSUB do not occur, allowing a malicious or compromised server to use specially crafted mailbox names containing '..' path components to access data outside the designated mailbox on the opposite end of the synchronization channel.
CVE-2021-20247 edited at 22 Feb 2021 18:34:48
Type
- Information disclosure
+ Directory traversal
CVE-2021-20247 edited at 22 Feb 2021 17:46:12
Severity
- Unknown
+ High
Remote
- Unknown
+ Remote
Type
- Unknown
+ Information disclosure
Description
+ isync/mbsync didn't validate the mailbox names returned by IMAP LIST/LSUB, which would allow a malicious/compromised server to use specially crafted mailbox names containing '..' path components to access data outside the designated mailbox on the opposite end of the synchronization channel. This is fixed in mbsync versions 1.3.5 and 1.4.1.
References
+ https://www.openwall.com/lists/oss-security/2021/02/22/1
+ https://sourceforge.net/p/isync/isync/ci/fe5d59f8e3169944e57eb1c60155c9ebd4912d48/
Notes
CVE-2021-20247 created at 22 Feb 2021 17:36:07