CVE-2008-4907
published 2008-11-04CVE-2008-4907: The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of…
PriorityP419medium4.3CVSS 2.0
AVNACMAuNCNINAP
EXPLOIT
EPSS
6.20%
92.6th percentile
The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka "invalid message address parsing bug."
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dovecot | < dovecot 1:1.1.7-1 (bookworm) | dovecot 1:1.1.7-1 (bookworm) |
| dovecot | dovecot | — | — |
| dovecot | dovecot | — | — |
| dovecot | dovecot | >= 0 < 1:1.1.7-1 | 1:1.1.7-1 |
| dovecot | dovecot | >= 0 < 1:1.1.7-1 | 1:1.1.7-1 |
| dovecot | dovecot | >= 0 < 1:1.1.7-1 | 1:1.1.7-1 |
| dovecot | dovecot | >= 0 < 1:1.1.7-1 | 1:1.1.7-1 |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv4.3MEDIUM
vendor_debian4.3LOW
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Dovecot vulnerability
vendor_ubuntu·2008-11-07
CVE-2008-4907 Dovecot vulnerability
Title: Dovecot vulnerability
Summary: Dovecot vulnerability
It was discovered that certain email headers were not correctly handled
by Dovecot. If a remote attacker sent a specially crafted email to a
user with a mailbox managed by Dovecot, that user's mailbox would become
inaccessible through Dovecot, leading to a denial of service.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
dovecot: per-user DoS via message with malformed headers
vendor_redhat·2008-10-30·CVSS 4.3
CVE-2008-4907 [MEDIUM] dovecot: per-user DoS via message with malformed headers
dovecot: per-user DoS via message with malformed headers
The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka "invalid message address parsing bug."
Statement: Not vulnerable. This issue did not affect the versions of the dovecot package, as shipped with Red Hat Enterprise Linux 4 or 5.
Debian
CVE-2008-4907: dovecot - The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENV...
vendor_debian·2008·CVSS 4.3
CVE-2008-4907 [MEDIUM] CVE-2008-4907: dovecot - The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENV...
The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka "invalid message address parsing bug."
Scope: local
bookworm: resolved (fixed in 1:1.1.7-1)
bullseye: resolved (fixed in 1:1.1.7-1)
forky: resolved (fixed in 1:1.1.7-1)
sid: resolved (fixed in 1:1.1.7-1)
trixie: resolved (fixed in 1:1.1.7-1)
GHSA
GHSA-cfr9-jq6w-r8wj: The message parsing feature in Dovecot 1
ghsa_unreviewed·2022-05-17
CVE-2008-4907 [MEDIUM] CWE-20 GHSA-cfr9-jq6w-r8wj: The message parsing feature in Dovecot 1
The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka "invalid message address parsing bug."
OSV
CVE-2008-4907: The message parsing feature in Dovecot 1
osv·2008-11-04·CVSS 4.3
CVE-2008-4907 [MEDIUM] CVE-2008-4907: The message parsing feature in Dovecot 1
The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka "invalid message address parsing bug."
No detection rules found.
http://secunia.com/advisories/32479http://secunia.com/advisories/32677http://secunia.com/advisories/33149http://security.gentoo.org/glsa/glsa-200812-16.xmlhttp://www.dovecot.org/list/dovecot-news/2008-October/000089.htmlhttp://www.securityfocus.com/bid/31997http://www.ubuntu.com/usn/usn-666-1https://exchange.xforce.ibmcloud.com/vulnerabilities/46227http://secunia.com/advisories/32479http://secunia.com/advisories/32677http://secunia.com/advisories/33149http://security.gentoo.org/glsa/glsa-200812-16.xmlhttp://www.dovecot.org/list/dovecot-news/2008-October/000089.htmlhttp://www.securityfocus.com/bid/31997http://www.ubuntu.com/usn/usn-666-1https://exchange.xforce.ibmcloud.com/vulnerabilities/46227
2008-11-04
Published