製品・ソフトウェアに関する情報

JVN脆弱性詳細

Canary Mail における証明書検証に関する脆弱性

Title	Canary Mail における証明書検証に関する脆弱性
Summary	Canary Mail には、証明書検証に関する脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 10, 2021, midnight
Registration Date	Nov. 12, 2021, 2:18 p.m.
Last Update	Nov. 12, 2021, 2:18 p.m.

Affected System

Canary Mail

Canary Mail 3.22 未満

libmailcore

MailCore2

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-26911	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26911
National Vulnerability Database (NVD)
2	CVE-2021-26911	https://nvd.nist.gov/vuln/detail/CVE-2021-26911
関連文書
3	CVE-2021-26911: Canary Mail with IMAP STARTTLS missing certificate validation	https://www.openwall.com/lists/oss-security/2021/02/17/3

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-295	https://cwe.mitre.org/data/definitions/295.html

ベンダー情報

No	Name	URL
Apple App Store
1	Canary Mail App	https://apps.apple.com/us/app/canary-mail/id1236045954
GitHub
2	mailcore2	https://github.com/MailCore/mailcore2
3	[Core] Check Start/TLS cert	https://github.com/canarymail/mailcore2/commit/45acb4efbcaa57a20ac5127dc976538671fce018

Change Log

No	Changed Details	Date of change
1	[2021年11月12日] 掲載	Nov. 12, 2021, 2:18 p.m.

NVD Vulnerability Information

CVE-2021-26911

Summary	core/imap/MCIMAPSession.cpp in Canary Mail before 3.22 has Missing SSL Certificate Validation for IMAP in STARTTLS mode.
Publication Date	Feb. 18, 2021, 6:15 a.m.
Registration Date	Feb. 18, 2021, 10:02 a.m.
Last Update	Nov. 21, 2024, 2:57 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:canarymail:canary_mail:3.20:::::iphone_os::
cpe:2.3:a:canarymail:canary_mail:3.21:::::iphone_os::

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:libmailcore:mailcore2:0.6.4:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.openwall.com/lists/oss-security/2021/02/17/3	Mailing List Patch Third Party Advisory
2	http://www.openwall.com/lists/oss-security/2021/02/17/3	Mailing List Patch Third Party Advisory
3	https://apps.apple.com/us/app/canary-mail/id1236045954	Product Third Party Advisory
4	https://apps.apple.com/us/app/canary-mail/id1236045954	Product Third Party Advisory
5	https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/	Exploit Third Party Advisory
6	https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/	Exploit Third Party Advisory
7	https://census-labs.com/news/category/advisories/	Third Party Advisory
8	https://census-labs.com/news/category/advisories/	Third Party Advisory
9	https://github.com/canarymail/mailcore2/commit/45acb4efbcaa57a20ac5127dc976538671fce018	Patch Third Party Advisory
10	https://github.com/canarymail/mailcore2/commit/45acb4efbcaa57a20ac5127dc976538671fce018	Patch Third Party Advisory
11	https://www.openwall.com/lists/oss-security/2021/02/17/3	Mailing List Patch Third Party Advisory
12	https://www.openwall.com/lists/oss-security/2021/02/17/3	Mailing List Patch Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-295	不正な証明書検証	https://cwe.mitre.org/data/definitions/295.html