CVE-2017-15130 — Uncontrolled Resource Consumption in Dovecot

CWE-400 — Uncontrolled Resource Consumption9 documents7 sources

Severity

5.9MEDIUMNVD

OSV7.1

EPSS

1.2%

top 20.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Debian Dovecot THE Dovecot Project Dovecot +2 more

Timeline

PublishedMar 2

Latest updateMay 13

Description

A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/dovecot< dovecot 1:2.2.34-1 (bookworm)

▶NVDdovecot/dovecot< 2.2.34

▶Debiandovecot/dovecot< 1:2.2.34-1+3

▶Ubuntudovecot/dovecot< 1:2.2.9-1ubuntu2.4+1

▶CVEListV5the_dovecot_project/dovecotbefore 2.2.34

Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 17.10

🔴Vulnerability Details

GHSA

GHSA-36px-qc55-gxh7: A denial of service flaw was found in dovecot before 2↗2022-05-13

▶

OSV

dovecot vulnerabilities↗2018-03-05

▶

OSV

CVE-2017-15130: A denial of service flaw was found in dovecot before 2↗2018-03-02

▶

📋Vendor Advisories

Ubuntu

Dovecot vulnerabilities↗2018-04-02

▶

Ubuntu

Dovecot vulnerabilities↗2018-03-05

▶

Red Hat

dovecot: TLS SNI config lookups are inefficient and can be used for DoS↗2018-02-28

▶

Debian

CVE-2017-15130: dovecot - A denial of service flaw was found in dovecot before 2.2.34. An attacker able to...↗2017

▶

💬Community

Bugzilla

CVE-2017-15130 dovecot: TLS SNI config lookups are inefficient and can be used for DoS↗2018-01-08

▶