evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that affects SMTP and POP3. When a server sends a begin TLS response, eds reads additional data and evaluates it in a TLS context, aka response injection.
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Evolution-data-server | Gnome | * | 3.36.3 (including) |
| Red Hat Enterprise Linux 8 | RedHat | bogofilter-0:1.2.5-2.el8 | * |
| Red Hat Enterprise Linux 8 | RedHat | evolution-0:3.28.5-14.el8 | * |
| Red Hat Enterprise Linux 8 | RedHat | evolution-data-server-0:3.28.5-14.el8 | * |
| Red Hat Enterprise Linux 8 | RedHat | evolution-mapi-0:3.28.3-3.el8 | * |
| Red Hat Enterprise Linux 8 | RedHat | openchange-0:2.3-26.el8 | * |
| Evolution-data-server | Ubuntu | bionic | * |
| Evolution-data-server | Ubuntu | eoan | * |
| Evolution-data-server | Ubuntu | focal | * |
| Evolution-data-server | Ubuntu | trusty | * |
| Evolution-data-server | Ubuntu | upstream | * |
| Evolution-data-server | Ubuntu | xenial | * |