CVE-2021-33913Out-of-bounds Write in Project Libspf2

CWE-787Out-of-bounds Write8 documents5 sources
Severity
9.8CRITICALNVD
EPSS
1.3%
top 19.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Libspf2Libspf2 Project Libspf2Debian Libspf2
Timeline
PublishedJan 19
Latest updateFeb 21

Description

libspf2 before 1.2.11 has a heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of SPF_record_expand_data in spf_expand.c. The amount of overflowed data depends on the relationship between the length of an entire domain name and the length of its leftmost label. The vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g.,

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

debiandebian/libspf2< libspf2 1.2.10-7.1 (bookworm)
Debianlibspf2/libspf2< 1.2.10-7.1~deb11u1+3
Ubuntulibspf2/libspf2< 1.2.10-7+deb9u2build0.20.04.1+3

🔴Vulnerability Details

4
OSV
libspf2 vulnerabilities2024-02-21
OSV
libspf2 vulnerabilities2024-01-15
GHSA
GHSA-7659-433m-4fhx: libspf2 before 12022-01-20
OSV
CVE-2021-33913: libspf2 before 12022-01-19

📋Vendor Advisories

3
Ubuntu
Libspf2 vulnerabilities2024-02-21
Ubuntu
Libspf2 vulnerabilities2024-01-15
Debian
CVE-2021-33913: libspf2 - libspf2 before 1.2.11 has a heap-based buffer overflow that might allow remote a...2021
CVE-2021-33913 — Out-of-bounds Write in Project Libspf2 | cvebase