A flaw was found in mbsync before v1.3.5 and v1.4.1. mbsync doesn't validate the mailbox names returned by IMAP LIST/LSUB, which allows a malicious/compromised server to use specially crafted mailbox names containing '..' path components to access data outside the designated mailbox on the opposite end of the synchronization channel.
External References: https://www.openwall.com/lists/oss-security/2021/02/22/1
Created isync tracking bugs for this issue: Affects: epel-all [bug 1931598] Affects: fedora-all [bug 1931597]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.