Vulnerability Details : CVE-2017-14461
A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server.
Vulnerability category: Denial of serviceInformation leak
Products affected by CVE-2017-14461
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:ubuntu:ubuntu:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:ubuntu:ubuntu:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:ubuntu:ubuntu:17.10:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:2.2.33.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-14461
18.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-14461
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:P |
8.0
|
4.9
|
NIST | |
7.1
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H |
2.8
|
4.2
|
NIST | |
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H |
1.6
|
4.2
|
Talos |
CWE ids for CVE-2017-14461
-
The product reads data past the end, or before the beginning, of the intended buffer.Assigned by:
- nvd@nist.gov (Primary)
- talos-cna@cisco.com (Secondary)
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-14461
-
https://www.dovecot.org/list/dovecot-news/2018-February/000370.html
[Dovecot-news] v2.2.34 releasedIssue Tracking;Vendor Advisory
-
http://www.securityfocus.com/bid/103201
Dovecot CVE-2017-14461 Out-Of-Bounds Read Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
-
https://usn.ubuntu.com/3587-1/
USN-3587-1: Dovecot vulnerabilities | Ubuntu security noticesPatch;Third Party Advisory
-
https://www.debian.org/security/2018/dsa-4130
Debian -- Security Information -- DSA-4130-1 dovecotThird Party Advisory
-
https://talosintelligence.com/vulnerability_reports/TALOS-2017-0510
TALOS-2017-0510 || Cisco Talos Intelligence Group - Comprehensive Threat IntelligenceThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html
[SECURITY] [DLA 1333-1] dovecot security update
-
https://usn.ubuntu.com/3587-2/
USN-3587-2: Dovecot vulnerabilities | Ubuntu security notices
Jump to