CVE-2024-23184

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-23184
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23184.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-23184
Related
Published
2024-09-10T15:15:14Z
Modified
2024-09-18T03:24:55.350457Z
Summary
[none]
Details

Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known.

References

Affected packages

Debian:11 / dovecot

Package

Name
dovecot
Purl
pkg:deb/debian/dovecot?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:2.3.13+dfsg1-2+deb11u2

Affected versions

1:2.*

1:2.3.13+dfsg1-2
1:2.3.13+dfsg1-2+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / dovecot

Package

Name
dovecot
Purl
pkg:deb/debian/dovecot?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:2.3.19.1+dfsg1-2.1+deb12u1

Affected versions

1:2.*

1:2.3.19.1+dfsg1-2.1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / dovecot

Package

Name
dovecot
Purl
pkg:deb/debian/dovecot?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:2.3.21.1+dfsg1-1

Affected versions

1:2.*

1:2.3.19.1+dfsg1-2.1
1:2.3.20+dfsg1-1
1:2.3.21+dfsg1-1
1:2.3.21+dfsg1-2
1:2.3.21+dfsg1-3~bpo12+1
1:2.3.21+dfsg1-3
1:2.3.21.1+dfsg1-1~bpo12+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}