Fluid Attacks Database

Description

It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates. An attacker could abuse this flaw to get confidential information by tricking the user into connecting to a fake server without the user noticing the difference.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	evolution-ews	>=0 <3.30.5-1.1	3.30.5-1.1
debian 12	evolution-ews	>=0 <3.30.5-1.1	3.30.5-1.1
debian 13	evolution-ews	>=0 <3.30.5-1.1	3.30.5-1.1
debian 14	evolution-ews	>=0 <3.30.5-1.1	3.30.5-1.1
rpm rhel7	evolution-ews	<0:3.28.5-5.el7	0:3.28.5-5.el7
rpm rhel7	evolution	<0:3.28.5-8.el7	0:3.28.5-8.el7
rpm rhel8	evolution-data-server	<0:3.28.5-11.el8	0:3.28.5-11.el8
rpm rhel8	evolution	<0:3.28.5-9.el8	0:3.28.5-9.el8
rpm rhel7	atk	<0:2.28.1-2.el7	0:2.28.1-2.el7
rpm rhel7	evolution-data-server	<0:3.28.5-4.el7	0:3.28.5-4.el7

1-10 of 11

Aliases

1. CVE-2019-38902. NVD-2019-38903. OSV-DEBIAN-2019-38904. OSV-2019-38905. SECURITY-TRACKER-CVE-2019-3890

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.