Aki Tuomi
2020-Aug-12 13:07 UTC
CVE-2020-12100: Receiving mail with deeply nested MIME parts leads to resource exhaustion.
Open-Xchange Security Advisory 2020-08-12 Affected product: Dovecot IMAP server Internal reference: DOP-1849 (Bug ID) Vulnerability type: Uncontrolled recursion (CWE-674) Vulnerable version: 2.0 Vulnerable component: submission, lmtp, lda Fixed version: 2.3.11.3 Report confidence: Confirmed Solution status: Fix available Vendor notification: 2020-04-23 CVE reference: CVE-2020-12100 CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: Receiving mail with deeply nested MIME parts leads to resource exhaustion as Dovecot attempts to parse it. Risk: Malicious actor can cause denial of service to mail delivery by repeatedly sending mails with bad content. Workaround: Limit MIME structures in MTA. Solution: Upgrade to fixed version. Best regards, Aki Tuomi Open-Xchange oy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20200812/bf75b7e9/attachment-0001.sig>
Apparently Analagous Threads
- CVE-2020-12100: Receiving mail with deeply nested MIME parts leads to resource exhaustion.
- CVE-2020-12673: Specially crafted NTML package can crash auth service
- CVE-2020-12673: Specially crafted NTML package can crash auth service
- CVE-2020-25275: MIME parsing crashes with particular messages
- CVE-2020-25275: MIME parsing crashes with particular messages