[Dovecot-news] CVE-2020-12100: Receiving mail with deeply nested MIME parts leads to resource exhaustion.
Aki Tuomi
aki.tuomi at dovecot.fi
Wed Aug 12 16:07:38 EEST 2020
Open-Xchange Security Advisory 2020-08-12
Affected product: Dovecot IMAP server
Internal reference: DOP-1849 (Bug ID)
Vulnerability type: Uncontrolled recursion (CWE-674)
Vulnerable version: 2.0
Vulnerable component: submission, lmtp, lda
Fixed version: 2.3.11.3
Report confidence: Confirmed
Solution status: Fix available
Vendor notification: 2020-04-23
CVE reference: CVE-2020-12100
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Vulnerability Details:
Receiving mail with deeply nested MIME parts leads to resource
exhaustion as Dovecot attempts to
parse it.
Risk:
Malicious actor can cause denial of service to mail delivery by
repeatedly sending mails with bad
content.
Workaround:
Limit MIME structures in MTA.
Solution:
Upgrade to fixed version.
Best regards,
Aki Tuomi
Open-Xchange oy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://dovecot.org/pipermail/dovecot-news/attachments/20200812/bf75b7e9/attachment.sig>
More information about the Dovecot-news
mailing list