VYPR
← All advisories
Medium severity6.5NVD Advisory· Published Jun 8, 2026· Updated Jun 8, 2026

CVE-2020-37248

CVE-2020-37248

Description

OfflineIMAP versions prior to 8.0.3 are vulnerable to STARTTLS stripping, allowing attackers to intercept credentials.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OfflineIMAP versions prior to 8.0.3 are vulnerable to STARTTLS stripping, allowing attackers to intercept credentials.

Vulnerability

OfflineIMAP versions before 8.0.3 incorrectly trust the server's STARTTLS capability advertisement. This allows a man-in-the-middle attacker to strip the STARTTLS capability, forcing the client to use a cleartext connection before authentication [2].

Exploitation

An attacker with network visibility can intercept the connection between OfflineIMAP and the IMAP server. By stripping the STARTTLS capability from the server's response, the attacker can trick OfflineIMAP into initiating a cleartext connection, thereby capturing the user's account credentials [2, 4].

Impact

Successful exploitation allows an attacker to obtain user account credentials in cleartext. This can lead to account takeover and potential compromise of sensitive email data [2].

Mitigation

OfflineIMAP version 8.0.3 and later include a fix for this vulnerability [2]. The fix involves attempting STARTTLS even if the server does not advertise it, to prevent capability-stripping attacks [4]. No workarounds are mentioned in the available references.

References
  1. security - offlineimap 8.0.3 fixes CVE-2020-37248 (STARTTLS stripping)
  2. imapserver: fix STARTTLS-stripping attack vulnerability · OfflineIMAP/offlineimap3@46505c5

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
46505c53ef99

imapserver: fix STARTTLS-stripping attack vulnerability

https://github.com/OfflineIMAP/offlineimap3Rodolfo García Peñas (kix)May 16, 2026via body-scan
commit
1 file changed · +12 2
  • offlineimap/imapserver.py+12 2 modified
    @@ -390,9 +390,19 @@ def __start_tls(self, imapobj):
         caps_pre = set(getattr(imapobj, '_offlineimap_capabilities_pre_tls',
                                getattr(imapobj, 'capabilities', [])))
 
-        # If the server does not advertise STARTTLS, respect that.
+        # If the server does not advertise STARTTLS, warn but attempt anyway.
+        # Per RFC 2595 section 9, a man-in-the-middle attacker can strip
+        # STARTTLS from the capability list to force a cleartext connection.
+        # Silently skipping STARTTLS when the user configured it would make
+        # offlineimap vulnerable to this attack.  We try regardless and let
+        # the server reject the command if it genuinely does not support it.
         if 'STARTTLS' not in caps_pre:
-            return
+            self.ui.warn(
+                "Server '%s' did not advertise STARTTLS in its capabilities, "
+                "but starttls is configured.  Attempting STARTTLS anyway to "
+                "guard against capability-stripping attacks (RFC 2595 §9)."
+                % self.hostname
+            )
 
         # Execute STARTTLS.
         self.ui.debug('imap', 'Using STARTTLS connection')

Vulnerability mechanics

Root cause

"OfflineIMAP trusts the server's STARTTLS capability advertisement before authentication, allowing a man-in-the-middle to strip STARTTLS and intercept credentials."

Attack vector

An attacker can intercept the connection between OfflineIMAP and an IMAP server. By stripping the STARTTLS capability from the server's response, the attacker forces OfflineIMAP to proceed with a cleartext connection. This allows the attacker to capture account credentials in plain text during the authentication process [ref_id=2]. The vulnerability is exploitable over the network without requiring any authentication from the attacker.

Affected code

The vulnerability lies within the `__start_tls` method in the imapserver module. Specifically, the code previously returned if the server did not advertise STARTTLS in its capabilities. The fix modifies this logic to attempt STARTTLS regardless of the advertised capabilities, thereby mitigating the risk of capability stripping attacks.

What the fix does

The patch modifies the STARTTLS handling to ignore the server's advertised capabilities regarding STARTTLS. Instead of returning if STARTTLS is not advertised, the code now warns the user but attempts to initiate STARTTLS anyway. This behavior guards against man-in-the-middle attackers who strip STARTTLS from the capabilities list, ensuring that a secure connection is attempted even if the server falsely claims not to support it [ref_id=2].

Preconditions

  • networkThe attacker must be in a network position to intercept traffic between the client and the IMAP server.
  • inputThe IMAP server must be configured to advertise STARTTLS, but the attacker manipulates the communication to remove this advertisement.

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.