Evolution GNOME Evolution

Do you want an email whenever new security vulnerabilities are reported in GNOME Evolution?

By the Year

In 2024 there have been 0 vulnerabilities in GNOME Evolution . Evolution did not have any published security vulnerabilities last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 0 0.00
2022 0 0.00
2021 2 5.55
2020 2 7.00
2019 1 6.50
2018 1 9.80

It may take a day or so for new Evolution vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent GNOME Evolution Security Vulnerabilities

Multiple directory traversal and buffer overflow vulnerabilities were discovered in yTNEF, and in Evolution's TNEF parser

CVE-2009-3721 7.8 - High - May 26, 2021

Multiple directory traversal and buffer overflow vulnerabilities were discovered in yTNEF, and in Evolution's TNEF parser that is derived from yTNEF. A crafted email could cause these applications to write data in arbitrary locations on the filesystem, crash, or potentially execute arbitrary code when decoding attachments.

Directory traversal

GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key

CVE-2021-3349 3.3 - Low - February 01, 2021

GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API. NOTE: third parties dispute the significance of this issue, and dispute whether Evolution is the best place to change this behavior

Insufficient Verification of Data Authenticity

An issue was discovered in GNOME Evolution before 3.35.91

CVE-2020-11879 6.5 - Medium - April 17, 2020

An issue was discovered in GNOME Evolution before 3.35.91. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make Evolution attach local files or directories to a composed email message without showing a warning to the user, as demonstrated by an attach=. value.

The gpg_ctx_add_recipient function in camel/camel-gpg-context.c in GNOME Evolution 3.8.4 and earlier and Evolution Data Server 3.9.5 and earlier does not properly select the GPG key to use for email encryption, which might cause the email to be encrypted with the wrong key and

CVE-2013-4166 7.5 - High - February 06, 2020

The gpg_ctx_add_recipient function in camel/camel-gpg-context.c in GNOME Evolution 3.8.4 and earlier and Evolution Data Server 3.9.5 and earlier does not properly select the GPG key to use for email encryption, which might cause the email to be encrypted with the wrong key and allow remote attackers to obtain sensitive information.

Information Disclosure

GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email

CVE-2018-15587 6.5 - Medium - February 11, 2019

GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted email that contains a valid signature from the entity to be impersonated as an attachment.

Improper Verification of Cryptographic Signature

addressbook/backends/ldap/e-book-backend-ldap.c in Evolution-Data-Server in GNOME Evolution through 3.29.2 might allow attackers to trigger a Buffer Overflow via a long query

CVE-2018-12422 9.8 - Critical - June 15, 2018

addressbook/backends/ldap/e-book-backend-ldap.c in Evolution-Data-Server in GNOME Evolution through 3.29.2 might allow attackers to trigger a Buffer Overflow via a long query that is processed by the strcat function. NOTE: the software maintainer disputes this because "the code had computed the required string length first, and then allocated a large-enough buffer on the heap.

Buffer Overflow

GNOME Evolution before 3.2.3

CVE-2011-3201 - March 08, 2013

GNOME Evolution before 3.2.3 allows user-assisted remote attackers to read arbitrary files via the attachment parameter to a mailto: URL, which attaches the file to the email.

Information Disclosure

Integer overflow in camel-lock-helper in Evolution 2.0.2 and earlier

CVE-2005-0102 9.8 - Critical - January 24, 2005

Integer overflow in camel-lock-helper in Evolution 2.0.2 and earlier allows local users or remote malicious POP3 servers to execute arbitrary code via a length value of -1, which leads to a zero byte memory allocation and a buffer overflow.

Integer Overflow or Wraparound

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Debian Linux or by GNOME? Click the Watch button to subscribe.

GNOME
Vendor

subscribe