It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates. An attacker could abuse this flaw to get confidential information by tricking the user into connecting to a fake server without the user noticing the difference.
The product does not validate, or incorrectly validates, a certificate.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Evolution-ews | Gnome | * | 3.31.3 (excluding) |
| Red Hat Enterprise Linux 7 | RedHat | atk-0:2.28.1-2.el7 | * |
| Red Hat Enterprise Linux 7 | RedHat | evolution-0:3.28.5-8.el7 | * |
| Red Hat Enterprise Linux 7 | RedHat | evolution-data-server-0:3.28.5-4.el7 | * |
| Red Hat Enterprise Linux 7 | RedHat | evolution-ews-0:3.28.5-5.el7 | * |
| Red Hat Enterprise Linux 8 | RedHat | evolution-0:3.28.5-9.el8 | * |
| Red Hat Enterprise Linux 8 | RedHat | evolution-data-server-0:3.28.5-11.el8 | * |
| Red Hat Enterprise Linux 8 | RedHat | evolution-ews-0:3.28.5-5.el8 | * |
| Evolution-ews | Ubuntu | bionic | * |
| Evolution-ews | Ubuntu | cosmic | * |
| Evolution-ews | Ubuntu | disco | * |
| Evolution-ews | Ubuntu | eoan | * |
| Evolution-ews | Ubuntu | groovy | * |
| Evolution-ews | Ubuntu | hirsute | * |
| Evolution-ews | Ubuntu | impish | * |
| Evolution-ews | Ubuntu | kinetic | * |
| Evolution-ews | Ubuntu | lunar | * |
| Evolution-ews | Ubuntu | mantic | * |
| Evolution-ews | Ubuntu | trusty | * |
| Evolution-ews | Ubuntu | xenial | * |