{"id":"CVE-2020-37248","details":"OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.","modified":"2026-07-09T00:21:52.883240Z","published":"2026-06-08T16:16:33.257Z","references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/06/08/3"},{"type":"REPORT","url":"https://github.com/OfflineIMAP/offlineimap/issues/669"},{"type":"REPORT","url":"https://github.com/OfflineIMAP/offlineimap3/issues/222"},{"type":"FIX","url":"https://github.com/OfflineIMAP/offlineimap3/commit/46505c53ef995455d66c685f9ec3ff6ea93dbb74"},{"type":"PACKAGE","url":"https://pypi.org/project/offlineimap/#history"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/offlineimap/offlineimap3","events":[{"introduced":"0"},{"fixed":"0eac4e88b4e508eb815190f8e47c7289bbd32acd"},{"fixed":"46505c53ef995455d66c685f9ec3ff6ea93dbb74"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"8.0.3"}],"source":["DESCRIPTION","REFERENCES"]}}],"versions":["v8.0.2","v8.0.1","v7.3.0","imaplib2-v2.101","imaplib2-v2.100","v7.2.4","v7.2.3","v7.2.2","v7.2.1","v7.2.0","v7.1.5","v7.1.4","v7.1.3","v7.1.2","v7.1.1","v7.1.0","v7.0.14","v7.0.13","v7.0.12","v7.0.11","v7.0.10","v7.0.9","v7.0.8","v7.0.7","v7.0.6","v7.0.5","v7.0.4","v7.0.3","v7.0.2","v7.0.1","v7.0.0","v7.0.0-rc5","v7.0.0-rc4","v7.0.0-rc3","v6.7.0","v7.0.0-rc2","v7.0.0-rc1","v6.7.0-rc2","v6.5.7","v6.7.0-rc1","v6.6.1","v6.6.0","v6.6.0-rc3","v6.6.0-rc2","v6.6.0-rc1","v6.5.7-rc4","v6.5.7-rc3","v6.5.6-rc1","v6.5.5","v6.5.5-rc3","v6.5.5-rc2","v6.5.5-rc1","v6.5.3.1","v6.5.3","v6.5.2.1","v6.5.2.1-rc1","v6.5.1.2","v6.5.1.1","v6.5.1","v6.5.0","v6.4.4","v6.4.3","v6.4.0","v6.3.5-rc2","v6.3.5-rc1","v6.3.4","v6.3.4-rc4","v6.3.4-rc3","v6.3.4-rc2","v6.3.4-rc1","v6.3.3","v6.3.3-rc3","v6.3.3-rc2","v6.3.3-rc1","v6.3.2","v6.3.2-rc3","v6.3.2-rc2","v6.3.2-rc1","v6.3.1","v6.3.0","debian/6.2.0.2","debian/6.2.0.1","debian/6.1.2","debian/6.1.1","debian/6.1.0","debian/6.0.3","debian/6.0.2","debian/6.0.1","debian/6.0.0","debian/5.99.15","debian/5.99.12","debian/5.99.11","debian/5.99.10","debian/5.99.9","debian/5.99.8","debian/5.99.7","debian/5.99.6","debian/5.99.5","last-darcs-commit","RELEASE_offlineimap_5.99.4","DEBIAN_offlineimap_5.99.4","RELEASE_offlineimap_5.99.3","DEBIAN_offlineimap_5.99.3","RELEASE_offlineimap_5.99.2","DEBIAN_offlineimap_5.99.2","RELEASE_offlineimap_5.99.1","DEBIAN_offlineimap_5.99.1","RELEASE_offlineimap_5.99.0","DEBIAN_offlineimap_5.99.0","Before_UI_reorg","Before_UI_rewrite","Working_post-imaplib_removal","RELEASE_offlineimap_4.0.16","DEBIAN_offlineimap_4.0.16","RELEASE_${PACKAGE}_${VERSION}","DEBIAN_offlineimap_4.0.15","DEBIAN_offlineimap_4.0.12","DEBIAN_offlineimap_4.0.11","DEBIAN_offlineimap_4.0.10","Final_Arch_version","Last_Subversion_point","REL4.0.7","REL4.0.0","REL3.99.0","REL3.2.0","REL3.1.0","REL3.0.0","REL2.0.0","REL1.0.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-37248.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"}]}