CVE-2005-4348 - fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attacke

CVE-2005-4348

Summary

fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers.

References

Vulnerable Configurations

cpe:2.3:a:fetchmail:fetchmail:6.2.0:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.2.0:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.2.1:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.2.1:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.2.2:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.2.2:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.2.3:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.2.3:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.2.4:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.2.4:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.2.5:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.2.5:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.2.5.2:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.2.5.2:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.2.5.4:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.2.5.4:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.3.0:*:*:*:*:*:*:*
cpe:2.3:a:fetchmail:fetchmail:6.3.0:*:*:*:*:*:*:*

CVSS

Base:	7.8 (as of 19-10-2018 - 15:40)
Impact:
Exploitability:

CWE

CWE-399

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:N/A:C

oval via4

accepted

2013-04-29T04:21:07.736-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 3
oval oval:org.mitre.oval:def:11782
comment CentOS Linux 3.x
oval oval:org.mitre.oval:def:16651
comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990

description

family

unix

oval:org.mitre.oval:def:9659

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

redhat via4

advisories

rhsa

id	RHSA-2007:0018

rpms

fetchmail-0:5.9.0-21.7.3.el2.1.4
fetchmail-0:6.2.0-3.el3.3
fetchmail-0:6.2.5-6.el4.5
fetchmail-debuginfo-0:6.2.0-3.el3.3
fetchmail-debuginfo-0:6.2.5-6.el4.5
fetchmailconf-0:5.9.0-21.7.3.el2.1.4

refmap via4

bid	15987 19289
bugtraq	20051221 fetchmail security announcement fetchmail-SA-2005-03 (CVE-2005-4348) 20060526 rPSA-2006-0084-1 fetchmail
confirm	http://fetchmail.berlios.de/fetchmail-SA-2005-03.txt
debian	DSA-939
mandriva	MDKSA-2005:236
misc	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=343836
osvdb	21906
sectrack	1015383
secunia	17891 18172 18231 18266 18433 18463 18895 21253 24007 24284
sgi	20070201-01-P
slackware	SSA:2006-045-01
suse	SUSE-SR:2007:004
trustix	2006-0002
ubuntu	USN-233-1
vupen	ADV-2005-2996 ADV-2006-3101
xf	fetchmail-null-pointer-dos(23713)

statements via4

contributor	Mark J Cox
lastmodified	2007-01-31
organization	Red Hat
statement	The Red Hat Security Response Team has rated this issue as having low security impact. An update is available for Red Hat Enterprise Linux 4 to correct this issue: http://rhn.redhat.com/errata/RHSA-2007-0018.html This issue did not affect Red Hat Enterprise Linux 2.1 and 3.

Last major update

19-10-2018 - 15:40

Published

21-12-2005 - 00:03

Last modified

19-10-2018 - 15:40