CVE-2020-7957 - OpenCVE

The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a denial of service in which the recipient cannot read all of their messages.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Dovecot	Dovecot
Fedoraproject	Fedora

Configuration 1 [-]

cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:30:::::::*
	cpe:2.3:o:fedoraproject:fedora:31:::::::*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2020/02/12/2	Exploit Mailing List Third Party Advisory
https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html	Exploit Mailing List Vendor Advisory
https://dovecot.org/security	Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-02-12T16:50:56

Updated: 2020-02-20T06:06:09

Reserved: 2020-01-24T00:00:00

Link: CVE-2020-7957

JSON object: View

NVD Information

Status : Modified

Published: 2020-02-12T17:15:12.563

Modified: 2023-11-07T03:26:14.137

Link: CVE-2020-7957

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a denial of service in which the recipient cannot read all of their messages."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AC:H/AV:N/A:L/C:N/I:N/PR:N/S:U/UI:R", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-02-20T06:06:09", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://dovecot.org/security"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.openwall.com/lists/oss-security/2020/02/12/2"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html"}, {"name": "FEDORA-2020-10a58fda28", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/"}, {"name": "FEDORA-2020-0e6a67af5a", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-7957", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a denial of service in which the recipient cannot read all of their messages."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AC:H/AV:N/A:L/C:N/I:N/PR:N/S:U/UI:R", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://dovecot.org/security", "refsource": "MISC", "url": "https://dovecot.org/security"}, {"name": "http://www.openwall.com/lists/oss-security/2020/02/12/2", "refsource": "CONFIRM", "url": "http://www.openwall.com/lists/oss-security/2020/02/12/2"}, {"name": "https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html", "refsource": "CONFIRM", "url": "https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html"}, {"name": "FEDORA-2020-10a58fda28", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/"}, {"name": "FEDORA-2020-0e6a67af5a", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-7957", "datePublished": "2020-02-12T16:50:56", "dateReserved": "2020-01-24T00:00:00", "dateUpdated": "2020-02-20T06:06:09", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0CB6EFB-63A3-4B07-8B44-3EB087307500", "versionEndExcluding": "2.3.9.3", "versionStartIncluding": "2.3.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a denial of service in which the recipient cannot read all of their messages."}, {"lang": "es", "value": "Los plugins IMAP y LMTP en Dovecot versiones 2.3.9 anteriores a 2.3.9.3, manejan inapropiadamente la generaci\u00f3n de fragmentos cuando se deben leer muchos caracteres para calcular el fragmento y existe un car\u00e1cter ) al final. Esto provoca una denegaci\u00f3n de servicio en la que el destinatario no puede leer todos sus mensajes."}], "id": "CVE-2020-7957", "lastModified": "2023-11-07T03:26:14.137", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-12T17:15:12.563", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/02/12/2"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Vendor Advisory"], "url": "https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://dovecot.org/security"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}