CVE-2009-0582 — Improper Input Validation in Evolution-data-server

CWE-20 — Improper Input Validation7 documents7 sources

Severity

5.8MEDIUMNVD

EPSS

3.5%

top 12.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnome Evolution-data-server

Timeline

PublishedMar 14

Latest updateMay 2

Description

The ntlm_challenge function in the NTLM SASL authentication mechanism in camel/camel-sasl-ntlm.c in Camel in Evolution Data Server (aka evolution-data-server) 2.24.5 and earlier, and 2.25.92 and earlier 2.25.x versions, does not validate whether a certain length value is consistent with the amount of data in a challenge packet, which allows remote mail servers to read information from the process memory of a client, or cause a denial of service (client crash), via an NTLM authentication type 2 p…

CVSS vector

AV:N/AC:M/C:P/I:N/A:PExploitability: 8.6 | Impact: 4.9

Affected Packages2 packages

▶Debiangnome/evolution-data-server< 2.26.1.1-1+3

▶NVDgnome/evolution-data-server2.24.5+1

🔴Vulnerability Details

GHSA

GHSA-8ccp-gg5r-vjf4: The ntlm_challenge function in the NTLM SASL authentication mechanism in camel/camel-sasl-ntlm↗2022-05-02

▶

OSV

CVE-2009-0582: The ntlm_challenge function in the NTLM SASL authentication mechanism in camel/camel-sasl-ntlm↗2009-03-14

▶

CVEList

CVE-2009-0582: The ntlm_challenge function in the NTLM SASL authentication mechanism in camel/camel-sasl-ntlm↗2009-03-14

▶

📋Vendor Advisories

Red Hat

evolution-data-server: insufficient checking of NTLM authentication challenge packets↗2009-03-12

▶

Debian

CVE-2009-0582: evolution-data-server - The ntlm_challenge function in the NTLM SASL authentication mechanism in camel/c...↗2009

▶

💬Community

Bugzilla

CVE-2009-0582 evolution-data-server: insufficient checking of NTLM authentication challenge packets↗2009-02-27

▶