CVE-2020-37248
Received Received - Intake
OfflineIMAP STARTTLS Downgrade Credential Disclosure

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: MITRE

Description
OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2020-37248
EUVD
EUVD-2020-31250
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
offlineimap offlineimap to 8.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-348 The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in OfflineIMAP allows credentials to be transmitted in cleartext due to the lack of enforced STARTTLS, which exposes sensitive user information to man-in-the-middle attacks.

This exposure of sensitive data such as account credentials in plaintext can lead to non-compliance with common security requirements found in standards and regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information during transmission.

Because the vulnerability undermines the confidentiality of user credentials, organizations using vulnerable versions of OfflineIMAP may fail to meet the encryption and data protection controls required by these regulations.

Executive Summary

This vulnerability in OfflineIMAP before version 8.0.3 involves the client trusting the email server's advertised STARTTLS capability before authentication. If the server does not advertise STARTTLS, the client may send credentials in plaintext without enforcing encryption. This allows an attacker to perform a STRIPTLS or man-in-the-middle attack by removing the STARTTLS capability from the server's response, intercepting and extracting account credentials in cleartext.

The core issue is that OfflineIMAP does not enforce the use of STARTTLS even when configured, leading to insecure transmission of passwords if the server does not advertise STARTTLS. This behavior is uncommon among email clients and exposes users to credential theft.

Impact Analysis

This vulnerability can lead to your email account credentials being intercepted by an attacker through a man-in-the-middle attack. Because OfflineIMAP may send your password in cleartext if the server does not advertise STARTTLS, an attacker can strip the STARTTLS capability and capture your login information.

The impact includes unauthorized access to your email account, potential data theft, and compromise of sensitive information contained in your emails.

Detection Guidance

This vulnerability can be detected by monitoring whether OfflineIMAP connections are using STARTTLS properly or if credentials are being sent in plaintext due to STARTTLS capability stripping.

One way to detect this is to capture and analyze network traffic between the OfflineIMAP client and the email server to check if the STARTTLS command is issued and if the connection is encrypted afterward.

You can use tools like tcpdump or Wireshark to capture traffic and look for the presence or absence of STARTTLS in the server's capability response and whether the authentication credentials are sent in cleartext.

  • Use tcpdump to capture traffic on the relevant port (usually 143 for IMAP): tcpdump -i <interface> -s 0 -w capture.pcap port 143
  • Open the capture in Wireshark and filter for IMAP protocol to check if STARTTLS is advertised by the server and if the client issues the STARTTLS command.
  • Look for any authentication commands (e.g., LOGIN) sent before STARTTLS or without TLS encryption, which indicates credentials are sent in plaintext.

Additionally, reviewing OfflineIMAP client logs for warnings about STARTTLS capability missing or skipped TLS negotiation can help detect this vulnerability.

Mitigation Strategies

To mitigate this vulnerability, ensure that OfflineIMAP enforces the use of STARTTLS when configured and does not silently skip TLS negotiation if the server does not advertise STARTTLS.

Update OfflineIMAP to a version that includes the fix where the client logs a warning and attempts STARTTLS regardless of the server's advertised capabilities, failing the connection if STARTTLS is not supported.

  • Configure OfflineIMAP with 'starttls = yes' to require STARTTLS.
  • If the server does not support STARTTLS, either switch to implicit TLS (e.g., using port 993 for IMAPS) or confirm explicitly with the user before sending credentials in plaintext.

These steps prevent man-in-the-middle STRIPTLS attacks by ensuring credentials are not sent in cleartext and that TLS negotiation is properly enforced.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37248. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart