CVE-2021-35525 — Project Postsrsd vulnerability

5 documents4 sources

Severity

5.3MEDIUMNVD

OSV7.5

EPSS

0.6%

top 30.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Postsrsd Project Postsrsd Ghost Sqlite3 Debian Postsrsd

Timeline

PublishedJun 28

Latest updateSep 15

Description

PostSRSd before 1.11 allows a denial of service (subprocess hang) if Postfix sends certain long data fields such as multiple concatenated email addresses. NOTE: the PostSRSd maintainer acknowledges "theoretically, this error should never occur ... I'm not sure if there's a reliable way to trigger this condition by an external attacker, but it is a security bug in PostSRSd nevertheless."

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶debiandebian/postsrsd< postsrsd 1.10-2 (bookworm)

▶NVDpostsrsd_project/postsrsd< 1.11

▶Debianpostsrsd_project/postsrsd< 1.10-2+3

▶Ubuntughost/sqlite3< 3.22.0-1ubuntu0.6+1

Patches

Patch: bugs.gentoo.org ↗Patch: github.com ↗Patch: bugs.gentoo.org ↗

🔴Vulnerability Details

OSV

sqlite3 vulnerabilities↗2022-09-15

▶

GHSA

GHSA-w799-rf9r-4rqc: PostSRSd before 1↗2022-05-24

▶

OSV

CVE-2021-35525: PostSRSd before 1↗2021-06-28

▶

📋Vendor Advisories

Debian

CVE-2021-35525: postsrsd - PostSRSd before 1.11 allows a denial of service (subprocess hang) if Postfix sen...↗2021

▶