CVE-2024-23184Allocation of Resources Without Limits or Throttling in Dovecot

CWE-770Allocation of Resources Without Limits or Throttling9 documents6 sources
Severity
5.0MEDIUMNVD
EPSS
0.5%
top 35.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
DovecotDebian DovecotOpen-xchange Gmbh OX Dovecot PRO
Timeline
PublishedSep 10
Latest updateSep 16

Description

Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on addre

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:NExploitability: 3.1 | Impact: 1.4

Affected Packages4 packages

debiandebian/dovecot< dovecot 1:2.3.19.1+dfsg1-2.1+deb12u1 (bookworm)
Debiandovecot/dovecot< 1:2.3.13+dfsg1-2+deb11u2+3
Ubuntudovecot/dovecot< 1:2.3.7.2-1ubuntu3.7+2

🔴Vulnerability Details

4
OSV
dovecot vulnerabilities2024-09-16
OSV
CVE-2024-23184: Having a large number of address headers (From, To, Cc, Bcc, etc2024-09-10
GHSA
GHSA-5f48-j349-fj3m: Having a large number of address headers (From, To, Cc, Bcc, etc2024-09-10
OSV
dovecot vulnerabilities2024-09-02

📋Vendor Advisories

4
Ubuntu
Dovecot vulnerabilities2024-09-16
Ubuntu
Dovecot vulnerabilities2024-09-02
Red Hat
dovecot: using a large number of address headers may trigger a denial of service2024-08-15
Debian
CVE-2024-23184: dovecot - Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes exces...2024