CVE-2021-33582
published 2021-09-01CVE-2021-33582: Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table…
PriorityP337high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
3.07%
86.0th percentile
Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3.0.16.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cyrus | imap | < 3.0.16 | 3.0.16 |
| cyrus | imap | >= 3.2.0 < 3.2.8 | 3.2.8 |
| cyrus | imap | >= 3.4.0 < 3.4.2 | 3.4.2 |
| debian | cyrus-imapd | < cyrus-imapd 3.4.2-1 (bookworm) | cyrus-imapd 3.4.2-1 (bookworm) |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
cyrus-imapd vulnerabilities
osv·2025-01-22·CVSS 9.8
CVE-2019-18928 [CRITICAL] cyrus-imapd vulnerabilities
cyrus-imapd vulnerabilities
It was discovered that non-authentication-related HTTP requests could be
interpreted in an authentication context by a Cyrus IMAP Server when
multiple requests arrived over the same connection. An unauthenticated
attacker could possibly use this issue to perform a privilege escalation
attack. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-18928)
Matthew Horsfall discovered that Cyrus IMAP Server utilized a poor string
hashing algorithm that could be abused to control where data was being
stored. An attacker could possibly use this issue to perform a denial of
service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2021-33582)
Damian Poddebniak discovered that Cyrus IMAP Server could interpret
specially crafted commands to exploit a
GHSA
GHSA-prxx-4m38-9m83: Cyrus IMAP before 3
ghsa_unreviewed·2022-05-24
CVE-2021-33582 [HIGH] CWE-327 GHSA-prxx-4m38-9m83: Cyrus IMAP before 3
Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3.0.16.
OSV
CVE-2021-33582: Cyrus IMAP before 3
osv·2021-09-01·CVSS 7.5
CVE-2021-33582 [HIGH] CVE-2021-33582: Cyrus IMAP before 3
Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3.0.16.
Ubuntu
Cyrus IMAP Server vulnerabilities
vendor_ubuntu·2025-01-22·CVSS 9.8
CVE-2024-34055 [CRITICAL] Cyrus IMAP Server vulnerabilities
Title: Cyrus IMAP Server vulnerabilities
Summary: Several security issues were fixed in Cyrus IMAP Server.
It was discovered that non-authentication-related HTTP requests could be
interpreted in an authentication context by a Cyrus IMAP Server when
multiple requests arrived over the same connection. An unauthenticated
attacker could possibly use this issue to perform a privilege escalation
attack. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-18928)
Matthew Horsfall discovered that Cyrus IMAP Server utilized a poor string
hashing algorithm that could be abused to control where data was being
stored. An attacker could possibly use this issue to perform a denial of
service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2021-33582)
Damian Poddebniak discovere
Red Hat
cyrus-imapd: Denial of service via string hashing algorithm collisions
vendor_redhat·2021-09-01·CVSS 7.5
CVE-2021-33582 [HIGH] CWE-400 cyrus-imapd: Denial of service via string hashing algorithm collisions
cyrus-imapd: Denial of service via string hashing algorithm collisions
Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3.0.16.
A flaw was found in cyrus-imapd. A bad string hashing algorithm used in internal hash tables allows user inputs to be stored in predictable buckets. A user may cause a CPU denial of service by maliciously directing many inputs to a single bucket. The highest threat from this vulnerability is to system availability.
Package: cyrus-imapd (Red Hat Enterprise Linux 6) - Out of support scope
Package: cyrus-imapd (Red Hat Enterprise Linux 7
Debian
CVE-2021-33582: cyrus-imapd - Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (mu...
vendor_debian·2021·CVSS 7.5
CVE-2021-33582 [HIGH] CVE-2021-33582: cyrus-imapd - Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (mu...
Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3.0.16.
Scope: local
bookworm: resolved (fixed in 3.4.2-1)
bullseye: resolved (fixed in 3.2.6-2+deb11u1)
forky: resolved (fixed in 3.4.2-1)
sid: resolved (fixed in 3.4.2-1)
trixie: resolved (fixed in 3.4.2-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://cyrus.topicbox.com/groups/announce/T3dde0a2352462975-M1386fc44adf967e072f8df13/cyrus-imap-3-4-2-3-2-8-and-3-0-16-releasedhttps://github.com/cyrusimap/cyrus-imapd/commits/masterhttps://github.com/cyrusimap/cyrus-imapd/security/advisorieshttps://lists.debian.org/debian-lts-announce/2022/06/msg00013.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HEO3RURJW6NLIXS7NK5PVU6MGHC4SCM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WJZB45QBUN7CZFGOWCZYUYACNBTX7LVS/https://www.cyrusimap.org/imap/download/release-notes/index.htmlhttps://cyrus.topicbox.com/groups/announce/T3dde0a2352462975-M1386fc44adf967e072f8df13/cyrus-imap-3-4-2-3-2-8-and-3-0-16-releasedhttps://github.com/cyrusimap/cyrus-imapd/commits/masterhttps://github.com/cyrusimap/cyrus-imapd/security/advisorieshttps://lists.debian.org/debian-lts-announce/2022/06/msg00013.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HEO3RURJW6NLIXS7NK5PVU6MGHC4SCM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WJZB45QBUN7CZFGOWCZYUYACNBTX7LVS/https://www.cyrusimap.org/imap/download/release-notes/index.html
2021-09-01
Published