CVE-2008-2711 — Improper Input Validation in Fetchmail

CWE-20 — Improper Input Validation CWE-665 — Improper Initialization7 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

3.3%

top 12.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fetchmail Debian Fetchmail

Timeline

PublishedJun 16

Latest updateMay 1

Description

fetchmail 6.3.8 and earlier, when running in -v -v (aka verbose) mode, allows remote attackers to cause a denial of service (crash and persistent mail failure) via a malformed mail message with long headers, which triggers an erroneous dereference when using vsnprintf to format log messages.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/fetchmail< fetchmail 6.3.9~rc2-1 (bookworm)

▶Debianfetchmail/fetchmail< 6.3.9~rc2-1+2

▶NVDfetchmail/fetchmail6.3.8+100

🔴Vulnerability Details

GHSA

GHSA-mgrc-7p8m-89r3: fetchmail 6↗2022-05-01

▶

OSV

CVE-2008-2711: fetchmail 6↗2008-06-16

▶

📋Vendor Advisories

Red Hat

fetchmail: DoS or information disclosure when logging long messages↗2021-07-28

▶

Red Hat

fetchmail: Crash in large log messages in verbose mode↗2008-06-13

▶

Debian

CVE-2008-2711: fetchmail - fetchmail 6.3.8 and earlier, when running in -v -v (aka verbose) mode, allows re...↗2008

▶

💬Community

Bugzilla

CVE-2008-2711 fetchmail: Crash in large log messages in verbose mode↗2008-06-17

▶