Description
GNOME Geary before 3.36.3 mishandles pinned TLS certificate verification for IMAP and SMTP services using invalid TLS certificates (e.g., self-signed certificates) when the client system is not configured to use a system-provided PKCS#11 store. This allows a meddler in the middle to present a different invalid certificate to intercept incoming and outgoing mail.
References (4)
Core 4
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://gitlab.gnome.org/GNOME/geary/-/issues/866
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS6CSTOBVO5HSAR3X5CT6DS6QDHXDB26/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G7OTYTGND6EFOKNQJWCHKKXKSN7SM73Y/
Broken Link vendor-advisory
x_refsource_cisco
https://tools.cisco.com/security/center/content/CiscoSeg/message/NS6CSTOBVO5HSAR3X5CT6DS6QDHXDB26/
Scores
CVSS v3
5.9
EPSS
0.0025
EPSS Percentile
48.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-295
Status
published
Products (3)
fedoraproject/fedora
31
fedoraproject/fedora
32
gnome/geary
< 3.36.3
Published
Aug 26, 2020
Tracked Since
Feb 18, 2026