CVE-2024-23185Allocation of Resources Without Limits or Throttling in Dovecot

CWE-770Allocation of Resources Without Limits or Throttling9 documents6 sources
Severity
7.5HIGHNVD
OSV5.0
EPSS
0.7%
top 28.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
DovecotDebian DovecotOpen-xchange Gmbh OX Dovecot PRO
Timeline
PublishedSep 10
Latest updateSep 16

Description

Very large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to message-header-parser, it starts building up "full_value" buffer out of the smaller chunks. The full_value buffer has no size limit, so large headers can cause large memory usage. It doesn't matter whether it's a single long header line, or a single header split into multiple lines. This bug exists in all Dovecot versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

debiandebian/dovecot< dovecot 1:2.3.19.1+dfsg1-2.1+deb12u1 (bookworm)
Debiandovecot/dovecot< 1:2.3.13+dfsg1-2+deb11u2+3
Ubuntudovecot/dovecot< 1:2.3.7.2-1ubuntu3.7+2

🔴Vulnerability Details

4
OSV
dovecot vulnerabilities2024-09-16
GHSA
GHSA-g9m4-c8qf-67qw: Very large headers can cause resource exhaustion when parsing message2024-09-10
OSV
CVE-2024-23185: Very large headers can cause resource exhaustion when parsing message2024-09-10
OSV
dovecot vulnerabilities2024-09-02

📋Vendor Advisories

4
Ubuntu
Dovecot vulnerabilities2024-09-16
Ubuntu
Dovecot vulnerabilities2024-09-02
Red Hat
dovecot: very large headers can cause resource exhaustion when parsing message2024-08-15
Debian
CVE-2024-23185: dovecot - Very large headers can cause resource exhaustion when parsing message. The messa...2024