| Title | dovecot における認証に関する脆弱性 |
|---|---|
| Summary | dovecot には、認証に関する脆弱性、およびリソース管理に関する脆弱性が存在します。 |
| Possible impacts | サービス運用妨害 (DoS) 状態にされる可能性があります。 |
| Solution | ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date | Dec. 18, 2017, midnight |
| Registration Date | Feb. 26, 2018, 4:36 p.m. |
| Last Update | Feb. 26, 2018, 4:36 p.m. |
| CVSS3.0 : 重要 | |
| Score | 7.5 |
|---|---|
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVSS2.0 : 警告 | |
| Score | 5 |
|---|---|
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:P |
| Timo Sirainen |
| Dovecot 2.0 から 2.2.33 |
| Dovecot 2.3.0 |
| No | Changed Details | Date of change |
|---|---|---|
| 1 | [2018年02月26日] 掲載 |
Feb. 26, 2018, 4:36 p.m. |
| Summary | A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion. |
|---|---|
| Publication Date | Jan. 26, 2018, 5:29 a.m. |
| Registration Date | Jan. 26, 2021, 1:16 p.m. |
| Last Update | Nov. 21, 2024, 12:14 p.m. |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:* | 2.0.0 | 2.2.33 | |||
| cpe:2.3:a:dovecot:dovecot:2.3.0:*:*:*:*:*:*:* | |||||
| Configuration2 | or higher | or less | more than | less than | |
| cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* | |||||
| cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:* | |||||
| cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* | |||||
| Configuration3 | or higher | or less | more than | less than | |
| cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* | |||||
| cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* | |||||
| cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:* | |||||
| cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:* | |||||