CVE-2021-3578Incorrect Type Conversion or Cast in Project Isync

CWE-704Incorrect Type Conversion or Cast5 documents5 sources
Severity
7.8HIGHNVD
EPSS
1.9%
top 16.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Isync Project IsyncDebian LinuxFedoraproject Fedora
Timeline
PublishedFeb 16
Latest updateFeb 17

Description

A flaw was found in mbsync before v1.3.6 and v1.4.2, where an unchecked pointer cast allows a malicious or compromised server to write an arbitrary integer value past the end of a heap-allocated structure by issuing an unexpected APPENDUID response. This could be plausibly exploited for remote code execution on the client.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

NVDisync_project/isync< 1.3.6+2
Debianisync_project/isync< 1.3.0-2.2+3
CVEListV5isync_project/isyncisync 1.3.6, isync 1.4.2

Also affects: Debian Linux 9.0, Fedora 33, 34

Patches

Patch: www.openwall.comPatch: bugzilla.redhat.comPatch: www.openwall.com

🔴Vulnerability Details

3
GHSA
GHSA-4r75-vj28-w5c7: A flaw was found in mbsync before v12022-02-17
OSV
CVE-2021-3578: A flaw was found in mbsync before v12022-02-16
CVEList
CVE-2021-3578: A flaw was found in mbsync before v12022-02-16

📋Vendor Advisories

1
Debian
CVE-2021-3578: isync - A flaw was found in mbsync before v1.3.6 and v1.4.2, where an unchecked pointer ...2021
CVE-2021-3578 — Incorrect Type Conversion or Cast | cvebase