VDB
CVE-2021-20247
CVE-2021-20247
PUBLISHED
A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of the mailbox names returned by IMAP LIST/LSUB do not occur allowing a malicious or compromised server to use specially crafted mailbox names containing '..' path components to access data outside the designated mailbox on the opposite end of the synchronization channel. The highest threat from this vulnerability is to data confidentiality and integrity.
EPSS 1.70% · 82.6th percentile
Risk Scores
EPSS Score
1.70%
82.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:24.04:LTS | isync | 0, 1.4.4-5build2, 1.4.4-5build3 |
| Ubuntu:20.04:LTS | isync | 0, 1.3.0-2 |
| Ubuntu:18.04:LTS | isync | 0, 1.2.1-2, 1.3.0-1 |
| Ubuntu:25.10 | isync | 1.5.1-1ubuntu1, 1.4.4-5build3, 0 |
| Ubuntu:22.04:LTS | isync | 1.4.4-3, 1.4.4-3ubuntu0.22.04.1, 1.3.0-2.2 |
| Ubuntu:16.04:LTS | isync | 1.1.2-1, 0 |
Timeline
- Feb 23, 2021 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 27, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 5, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-20247 third-party-advisory
- https://www.openwall.com/lists/oss-security/2021/02/22/1 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-20247 third-party-advisory