Has Squirrelmail CVE-2020-14933 been patched?


Well-Known Member

Reaction score: 27
Messages: 446

I am dealing with our PCI auditors. Since we use Squirrelmail for our company email client CVE-2020-14933 is an issue. The most recent version of SM in ports is squirrelmail-php73-20200422. I speculate that this means that the port is based on the SM source as of 2020-04-22. However, CVE-2020-14933 is shown as being reported on 2020-06-26.

Is there a patch for this?



Well-Known Member

Reaction score: 27
Messages: 446

Per the SquirrelMail mailing list from the chief maintainer:
On Thu, October 14, 2021 18:09, Paul Lesniewski wrote:
. . .
> See: https://nvd.nist.gov/vuln/detail/CVE-2020-14933#match-5399106
> Has this been patched?

There is no vulnerability here.  Per OWASP:


In order to successfully exploit a PHP Object Injection vulnerability two
conditions must be met:

  The application must have a class which implements a PHP magic method
(such as __wakeup or __destruct) that can be used to carry out malicious
attacks, or to start a “POP chain”.
  All of the classes used during the attack must be declared when the
vulnerable unserialize() is being called, otherwise object autoloading
must be supported for such classes.

SquirrelMail doesn't qualify for that scenario.  Whoever accepted/assigned
this CVE seems to have only taken the word of the reporter, who has no
proof that I know of that there is any security issue.  If anyone knows
differently, please get in touch.

I'll put something on our /security page to reflect the situation.

Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!


Staff member

Reaction score: 12,685
Messages: 39,278

Make sure to post that response to the PR too. Or else the maintainer might be needlessly trying to get the same information.