CVE-2020-15917
Description
common/session.c in Claws Mail before 3.17.6 has a protocol violation because suffix data after STARTTLS is mishandled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Claws Mail before 3.17.6 mishandles suffix data after a STARTTLS command, violating the TLS protocol and enabling possible network attacks.
Vulnerability
Claws Mail versions before 3.17.6 contain a protocol violation in the function common/session.c, which mishandles suffix data that may appear after a STARTTLS command during the SMTP or IMAP connection handshake [1][2][3]. This flaw occurs because the client does not properly clear or ignore any residual data received after initiating the TLS upgrade, contrary to the TLS protocol specification.
Exploitation
An attacker who can perform a man-in-the-middle (MITM) attack on the network path between the Claws Mail client and the mail server could inject crafted suffix data after the STARTTLS response [3]. The attacker does not require authentication or prior access to the mail client. The exploitation does not rely on user interaction beyond the client being configured to use STARTTLS (opportunistic or mandatory).
Impact
Successful exploitation could allow the attacker to breach the integrity or confidentiality of email connections that use STARTTLS [3]. The protocol violation may lead to downgrade attacks, disclosure of credentials or message content, or injection of malicious data into the TLS session, depending on the attacker’s goals and the mail server’s behavior.
Mitigation
Users should upgrade to Claws Mail version 3.17.6 or later, which fixes the protocol handling [1][2][3]. For Gentoo Linux users, the patched version is available via >=mail-client/claws-mail-3.17.6 [3]. No workaround is known; applying the update is the only advised mitigation.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8- Claws Mail/Claws Maildescription
- osv-coords7 versionspkg:rpm/opensuse/claws-mail&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/claws-mail&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/claws-mail&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/claws-mail&distro=openSUSE%20Tumbleweedpkg:rpm/suse/claws-mail&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/claws-mail&distro=SUSE%20Package%20Hub%2015%20SP2pkg:rpm/suse/claws-mail&distro=SUSE%20Package%20Hub%2015%20SP3
< 3.17.3-lp151.2.3.1+ 6 more
- (no CPE)range: < 3.17.3-lp151.2.3.1
- (no CPE)range: < 3.17.6-lp152.3.3.1
- (no CPE)range: < 3.18.0-bp153.2.3.1
- (no CPE)range: < 4.0.0-2.5
- (no CPE)range: < 3.17.8-bp152.3.6.1
- (no CPE)range: < 3.17.8-bp152.3.6.1
- (no CPE)range: < 3.18.0-bp153.2.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- lists.opensuse.org/opensuse-security-announce/2020-07/msg00090.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-08/msg00002.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-08/msg00060.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00051.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-11/msg00013.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6YVQB7NRBHO67Q74RS7RZCMW4ENRVBB4/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G7UX65342HRVDQML4G4GEVEUB764EUM5/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202007-56mitrevendor-advisoryx_refsource_GENTOO
- git.claws-mail.orgmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.