[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2020-12100: Dovecot IMAP server: Receiving mail with deeply nested MIME parts lea
From:       Aki Tuomi <aki.tuomi () dovecot ! fi>
Date:       2020-08-12 13:07:36
Message-ID: 956af3a4-9b97-ad3f-cea5-001e9afe3435 () dovecot ! fi
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


Open-Xchange Security Advisory 2020-08-12

Affected product: Dovecot IMAP server
Internal reference: DOP-1849 (Bug ID)
Vulnerability type: Uncontrolled recursion (CWE-674)
Vulnerable version: 2.0
Vulnerable component: submission, lmtp, lda
Fixed version: 2.3.11.3
Report confidence: Confirmed
Solution status: Fix available
Vendor notification: 2020-04-23
CVE reference: CVE-2020-12100
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Vulnerability Details:
Receiving mail with deeply nested MIME parts leads to resource
exhaustion as Dovecot attempts to
parse it.

Risk:
Malicious actor can cause denial of service to mail delivery by
repeatedly sending mails with bad
content.

Workaround:
Limit MIME structures in MTA.

Solution:
Upgrade to fixed version.

Best regards,

Aki Tuomi
Open-Xchange oy



["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]