CVE-2009-0688 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Cyrus-sasl2

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer9 documents7 sources

Severity

7.5HIGHNVD

EPSS

39.5%

top 2.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Cyrus-sasl2 Carnegie Mellon University Cyrus-sasl

Timeline

PublishedMay 15

Latest updateMay 3

Description

Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶debiandebian/cyrus-sasl2< cyrus-sasl2 2.1.23.dfsg1-1 (bookworm)

▶NVDcarnegie_mellon_university/cyrus-sasl2.1.22+45

Patches

Patch: ftp.andrew.cmu.edu ↗Patch: www.kb.cert.org ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

GHSA-pjpw-9mvc-5cwc: Multiple buffer overflows in the CMU Cyrus SASL library before 2↗2022-05-03

▶

OSV

CVE-2009-0688: Multiple buffer overflows in the CMU Cyrus SASL library before 2↗2009-05-15

▶

📋Vendor Advisories

Ubuntu

Cyrus SASL vulnerability↗2009-06-24

▶

Debian

CVE-2009-0688: cyrus-sasl2 - Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allo...↗2009

▶

Red Hat

cyrus-sasl: sasl_encode64() does not reliably null-terminate its output↗2008-05-15

▶

💬Community

Bugzilla

CVE-2009-0688 cyrus-imapd uses sasl_encode64() improperly↗2009-06-04

▶

Bugzilla

sendmail may use sasl_encode64() improperly↗2009-06-04

▶

Bugzilla

CVE-2009-0688 cyrus-sasl: sasl_encode64() does not reliably null-terminate its output↗2009-02-25

▶