CVE-2020-37248

June 9, 2026, 1:57 p.m.

6.5
Medium

Description

OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.

Product(s) Impacted

Vendor Product Versions
Offlineimap
  • Offlineimap
  • <8.0.3

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-348
Use of Less Trusted Source
The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a offlineimap offlineimap <8.0.3 / / / / / / /

References

https://github.com/OfflineIMAP/offlineimap/issues/669
https://github.com/OfflineIMAP/offlineimap3/commit/46505c53ef995455d66c685f9ec3ff6ea93dbb74
https://github.com/OfflineIMAP/offlineimap3/issues/222
https://pypi.org/project/offlineimap/#history
http://www.openwall.com/lists/oss-security/2026/06/08/3

Tags

[email protected]
CWE-348
2026-06-08
CVE-2020-37248

CVSS Score

6.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

    View Vector String

Timeline

Published: June 8, 2026, 4:16 p.m.
Last Modified: June 9, 2026, 1:57 p.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.