CVE-2021-39361: 
Linux Debian vulnerability analysis and mitigation

CVE-2021-39361 affects GNOME evolution-rss through version 0.3.96. The vulnerability exists in network-soup.c where TLS certificate verification is not enabled on SoupSessionSync objects during creation, leaving users vulnerable to network Man-in-the-Middle (MITM) attacks. This issue is similar to CVE-2016-20011 (NVD).

The vulnerability stems from a security misconfiguration in the network-soup.c file where SoupSessionSync objects are created without enabling TLS certificate verification. This results in a CWE-295 (Improper Certificate Validation) weakness. The vulnerability has a CVSS v3.1 Base Score of 5.9 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

Without TLS certificate verification, attackers can perform Man-in-the-Middle (MITM) attacks against network connections made by the application. This could allow attackers to intercept and read sensitive data transmitted between the client and server (GNOME Blog).

Applications should update to use the modern SoupSession class which is secure by default, rather than the deprecated SoupSessionSync and SoupSessionAsync classes. For applications that must continue using these deprecated classes, TLS certificate verification should be explicitly enabled by setting SoupSession:tls-database, SoupSession:ssl-use-system-ca-file, or SoupSession:ssl-ca-file (GNOME Blog).