Fluid Attacks Database

Description

In GNOME evolution-data-server before 3.35.91, a malicious server can crash the mail client with a NULL pointer dereference by sending an invalid (e.g., minimal) CAPABILITY line on a connection attempt. This is related to imapx_free_capability and imapx_connect_to_server.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	evolution-data-server	>=0 <3.36.0-1	3.36.0-1
debian 12	evolution-data-server	>=0 <3.36.0-1	3.36.0-1
debian 14	evolution-data-server	>=0 <3.36.0-1	3.36.0-1
debian 13	evolution-data-server	>=0 <3.36.0-1	3.36.0-1
rpm rhel8	evolution	<0:3.28.5-16.el8	0:3.28.5-16.el8
rpm rhel5	evolution-data-server	-	-
rpm rhel6	evolution-data-server	-	-
rpm rhel7	evolution-data-server	-	-
rpm rhel8	evolution-data-server	<0:3.28.5-15.el8	0:3.28.5-15.el8
rpm rhel8	evolution-ews	<0:3.28.5-10.el8	0:3.28.5-10.el8

Aliases

1. CVE-2020-161172. NVD-2020-161173. OSV-DEBIAN-2020-161174. OSV-2020-161175. SECURITY-TRACKER-CVE-2020-16117

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.