Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-4907Improper Input Validation in Dovecot

CWE-20Improper Input Validation8 documents8 sources
Severity
4.3MEDIUMNVD
EPSS
14.3%
top 5.58%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
DovecotDebian Dovecot
Timeline
PublishedNov 4
Latest updateMay 17

Description

The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka "invalid message address parsing bug."

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

debiandebian/dovecot< dovecot 1:1.1.7-1 (bookworm)
Debiandovecot/dovecot< 1:1.1.7-1+3
NVDdovecot/dovecot1.1.4, 1.1.5+1

Patches

Patch: secunia.comPatch: www.securityfocus.comPatch: secunia.com

🔴Vulnerability Details

2
GHSA
GHSA-cfr9-jq6w-r8wj: The message parsing feature in Dovecot 12022-05-17
OSV
CVE-2008-4907: The message parsing feature in Dovecot 12008-11-04

💥Exploits & PoCs

1
Exploit-DB
Dovecot 1.1.x - Invalid Message Address Parsing Denial of Service2008-10-30

📋Vendor Advisories

3
Ubuntu
Dovecot vulnerability2008-11-07
Red Hat
dovecot: per-user DoS via message with malformed headers2008-10-30
Debian
CVE-2008-4907: dovecot - The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENV...2008

💬Community

1
Bugzilla
CVE-2008-4907 dovecot: per-user DoS via message with malformed headers2008-11-04