CVE-2020-37248
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
08/06/2026
Last modified:
09/06/2026
Description
OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/OfflineIMAP/offlineimap/issues/669
- https://github.com/OfflineIMAP/offlineimap3/commit/46505c53ef995455d66c685f9ec3ff6ea93dbb74
- https://github.com/OfflineIMAP/offlineimap3/issues/222
- https://pypi.org/project/offlineimap/#history
- http://www.openwall.com/lists/oss-security/2026/06/08/3



