CVE-2021-3657Improper Restriction of Operations within the Bounds of a Memory Buffer in Project Isync

CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer5 documents5 sources
Severity
9.8CRITICALNVD
EPSS
5.7%
top 9.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Isync Project IsyncDebian LinuxFedoraproject Fedora+1 more
Timeline
PublishedFeb 18
Latest updateFeb 19

Description

A flaw was found in mbsync versions prior to 1.4.4. Due to inadequate handling of extremely large (>=2GiB) IMAP literals, malicious or compromised IMAP servers, and hypothetically even external email senders, could cause several different buffer overflows, which could conceivably be exploited for remote code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDisync_project/isync< 1.4.4
Debianisync_project/isync< 1.3.0-2.2+deb11u1+3
CVEListV5isync_project/isyncisync 1.4.4

Also affects: Debian Linux 9.0, Fedora 35, Enterprise Linux 7.0

🔴Vulnerability Details

3
GHSA
GHSA-gq8r-4g7c-69vw: A flaw was found in mbsync versions prior to 12022-02-19
CVEList
CVE-2021-3657: A flaw was found in mbsync versions prior to 12022-02-18
OSV
CVE-2021-3657: A flaw was found in mbsync versions prior to 12022-02-18

📋Vendor Advisories

1
Debian
CVE-2021-3657: isync - A flaw was found in mbsync versions prior to 1.4.4. Due to inadequate handling o...2021
CVE-2021-3657 — Isync Project Isync vulnerability | cvebase