CVE-2020-12100: Receiving mail with deeply nested MIME parts leads to resource exhaustion.
Open-Xchange Security Advisory 2020-08-12
Affected product: Dovecot IMAP server Internal reference: DOP-1849 (Bug ID) Vulnerability type: Uncontrolled recursion (CWE-674) Vulnerable version: 2.0 Vulnerable component: submission, lmtp, lda Fixed version: 2.3.11.3 Report confidence: Confirmed Solution status: Fix available Vendor notification: 2020-04-23 CVE reference: CVE-2020-12100 CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Vulnerability Details: Receiving mail with deeply nested MIME parts leads to resource exhaustion as Dovecot attempts to parse it.
Risk: Malicious actor can cause denial of service to mail delivery by repeatedly sending mails with bad content.
Workaround: Limit MIME structures in MTA.
Solution: Upgrade to fixed version.
Best regards,
Aki Tuomi Open-Xchange oy
participants (1)
-
Aki Tuomi