The match_component function in smtp-tls.c in libESMTP 1.0.3.r1, and possibly other versions including 1.0.4, treats two strings as equal if one is a substring of the other, which allows remote attackers to spoof trusted certificates via a crafted subjectAltName.
Vector
NETWORK
Complexity
MEDIUM
Authentication
NONE
Confidentiality
PARTIAL
Integrity
PARTIAL
Availability
PARTIAL
Stafford.uklinux Libesmtp 0.8.4 (not an official CPE)
Stafford.uklinux Libesmtp 0.8.7 (not an official CPE)
Stafford.uklinux Libesmtp 0.8.6 (not an official CPE)
Stafford.uklinux Libesmtp 0.6 (not an official CPE)
Stafford.uklinux Libesmtp 0.8.9 (not an official CPE)
Stafford.uklinux Libesmtp 0.8.8 (not an official CPE)
Stafford.uklinux Libesmtp 1.0 (not an official CPE)
Stafford.uklinux Libesmtp 0.1 - (not an official CPE)
Stafford.uklinux Libesmtp 0.8.0 (not an official CPE)
Stafford.uklinux Libesmtp 0.8.3 (not an official CPE)
Stafford.uklinux Libesmtp 0.8.2 (not an official CPE)
Stafford.uklinux Libesmtp 0.8.5 (not an official CPE)
Stafford.uklinux Libesmtp 0.8.1 (not an official CPE)
Stafford.uklinux Libesmtp 0.6.1 (not an official CPE)
Stafford.uklinux Libesmtp 0.3 (not an official CPE)
Stafford.uklinux Libesmtp 0.8.10 P1 (not an official CPE)
Stafford.uklinux Libesmtp 0.8.11 (not an official CPE)
Stafford.uklinux Libesmtp 0.8.12 (not an official CPE)
Stafford.uklinux Libesmtp 0.4 (not an official CPE)
Stafford.uklinux Libesmtp 0.8.10 (not an official CPE)
Stafford.uklinux Libesmtp 0.5 (not an official CPE)
Stafford.uklinux Libesmtp 0.2 (not an official CPE)
Stafford.uklinux Libesmtp 0.7.0 (not an official CPE)
Stafford.uklinux Libesmtp 0.7.1 (not an official CPE)
Stafford.uklinux Libesmtp 1.0.2 (not an official CPE)
Stafford.uklinux Libesmtp 0.6 A (not an official CPE)
Stafford.uklinux Libesmtp 1.0.4 (not an official CPE)
Stafford.uklinux Libesmtp 1.0.1 (not an official CPE)
Stafford.uklinux Libesmtp 0.1 A (not an official CPE)
Stafford.uklinux Libesmtp 1.0.3 (not an official CPE)
Stafford.uklinux Libesmtp 1.0 Rc1 (not an official CPE)
Stafford.uklinux Libesmtp 1.0.3 R1 (not an official CPE)