Описание
Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory.
Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known.
A flaw was found in dovecot. An unauthenticated and remote attacker can send a crafted message that causes managesieve to allocate an excessive amount of memory, forcing managesieve-login to be unavailable by repeatedly crashing the process, resulting in a denial of service.
Отчет
This flaw allows an unauthenticated and remote attacker to cause a denial of service via a specially crafted message. Due to this reason, this vulnerability has been rated with an important severity.
Меры по смягчению последствий
To mitigate this vulnerability, protect access to the managesieve protocol by configuring firewall rules to restrict access to the managesieve port and only allow connections from trusted IP addresses or networks.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | dovecot | Affected | ||
| Red Hat Enterprise Linux 6 | dovecot | Affected | ||
| Red Hat Enterprise Linux 7 | dovecot | Affected | ||
| Red Hat Enterprise Linux 8 | dovecot | Affected | ||
| Red Hat Enterprise Linux 9 | dovecot | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known.
Attacker can send a specifically crafted message before authentication ...
Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No publicly available exploits are known.
EPSS
7.5 High
CVSS3