CVE-2017-2669

Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang.
Configurations

Configuration 1 (hide)

cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

History

21 Nov 2024, 03:23

Type Values Removed Values Added
CVSS v2 : 5.0
v3 : 7.5
v2 : 5.0
v3 : 3.7
References () http://www.openwall.com/lists/oss-security/2017/04/11/1 - Mailing List, Third Party Advisory () http://www.openwall.com/lists/oss-security/2017/04/11/1 - Mailing List, Third Party Advisory
References () http://www.securityfocus.com/bid/97536 - Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/97536 - Third Party Advisory, VDB Entry
References () https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669 - Issue Tracking, Third Party Advisory () https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669 - Issue Tracking, Third Party Advisory
References () https://dovecot.org/pipermail/dovecot-news/2017-April/000341.html - Vendor Advisory () https://dovecot.org/pipermail/dovecot-news/2017-April/000341.html - Vendor Advisory
References () https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch - Third Party Advisory () https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch - Third Party Advisory
References () https://www.debian.org/security/2017/dsa-3828 - Third Party Advisory () https://www.debian.org/security/2017/dsa-3828 - Third Party Advisory

Information

Published : 2018-06-21 13:29

Updated : 2024-11-21 03:23


NVD link : CVE-2017-2669

Mitre link : CVE-2017-2669

CVE.ORG link : CVE-2017-2669


JSON object : View

Products Affected

debian

  • debian_linux

dovecot

  • dovecot
CWE
CWE-20

Improper Input Validation