CVE-2017-14230 — Improper Input Validation in Imap

CWE-20 — Improper Input Validation CWE-193 — Off-by-one Error7 documents6 sources

Severity

9.1CRITICALNVD

EPSS

0.9%

top 24.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cyrus Imap

Timeline

PublishedSep 10

Latest updateMay 17

Description

In the mboxlist_do_find function in imap/mboxlist.c in Cyrus IMAP before 3.0.4, an off-by-one error in prefix calculation for the LIST command caused use of uninitialized memory, which might allow remote attackers to obtain sensitive information or cause a denial of service (daemon crash) via a 'LIST "" "Other Users"' command.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages1 packages

▶NVDcyrus/imap3.0.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-ghq8-mj24-5v6f: In the mboxlist_do_find function in imap/mboxlist↗2022-05-17

▶

CVEList

CVE-2017-14230: In the mboxlist_do_find function in imap/mboxlist↗2017-09-10

▶

📋Vendor Advisories

Red Hat

cyrus-imapd: Off-by-one error in prefix calculation in the mboxlist_do_find function↗2017-08-31

▶

Debian

CVE-2017-14230: cyrus-imapd - In the mboxlist_do_find function in imap/mboxlist.c in Cyrus IMAP before 3.0.4, ...↗2017

▶

💬Community

Bugzilla

CVE-2017-14230 cyrus-imapd: Off-by-one error in prefix calculation in the mboxlist_do_find function↗2017-09-13

▶

Bugzilla

CVE-2017-14230 cyrus-imapd: Off-by-one error in prefix calculation in the mboxlist_do_find function [fedora-25]↗2017-09-13

▶