Vulnerability Details : CVE-2017-15132
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion.
Products affected by CVE-2017-15132
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:2.3.0:*:*:*:*:*:*:*
Threat overview for CVE-2017-15132
Top countries where our scanners detected CVE-2017-15132
Top open port discovered on systems with this issue
993
IPs affected by CVE-2017-15132 747
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2017-15132!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2017-15132
0.88%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-15132
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-15132
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: secalert@redhat.com (Secondary)
-
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-15132
-
https://www.dovecot.org/list/dovecot-news/2018-February/000370.html
[Dovecot-news] v2.2.34 releasedVendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1532768
1532768 – (CVE-2017-15132) CVE-2017-15132 dovecot: Auth leaks memory if SASL authentication is abortedIssue Tracking;Patch;Third Party Advisory
-
https://usn.ubuntu.com/3556-1/
USN-3556-1: Dovecot vulnerability | Ubuntu security noticesThird Party Advisory
-
https://www.debian.org/security/2018/dsa-4130
Debian -- Security Information -- DSA-4130-1 dovecotThird Party Advisory
-
https://usn.ubuntu.com/3556-2/
USN-3556-2: Dovecot vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html
[SECURITY] [DLA 1333-1] dovecot security updateMailing List;Third Party Advisory
-
https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch
Patch;Third Party Advisory
Jump to