CVE-2021-39361

In GNOME evolution-rss through 0.3.96, network-soup.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name	Vendor	Start Version	End Version
Evolution-rss	Gnome	*	0.3.96 (including)
Evolution-rss	Ubuntu	bionic	*
Evolution-rss	Ubuntu	focal	*
Evolution-rss	Ubuntu	hirsute	*
Evolution-rss	Ubuntu	impish	*
Evolution-rss	Ubuntu	trusty	*
Evolution-rss	Ubuntu	xenial	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/459.html
https://cwe.mitre.org/data/definitions/475.html

References

https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/
https://gitlab.gnome.org/GNOME/evolution-rss/-/issues/11
https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/
https://gitlab.gnome.org/GNOME/evolution-rss/-/issues/11

NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-39361
CWE	https://cwe.mitre.org/data/definitions/295.html

Improper Certificate Validation

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References