Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.
Max CVSS
5.9
EPSS Score
0.15%
Published
2021-08-30
Updated
2022-10-28
report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user.
Max CVSS
7.5
EPSS Score
0.43%
Published
2021-07-30
Updated
2022-10-28
socket.c in fetchmail before 6.3.11 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Max CVSS
6.4
EPSS Score
0.15%
Published
2009-08-07
Updated
2018-10-10
fetchmail 6.3.8 and earlier, when running in -v -v (aka verbose) mode, allows remote attackers to cause a denial of service (crash and persistent mail failure) via a malformed mail message with long headers, which triggers an erroneous dereference when using vsnprintf to format log messages.
Max CVSS
4.3
EPSS Score
10.55%
Published
2008-06-16
Updated
2021-08-09
sink.c in fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP.
Max CVSS
5.0
EPSS Score
1.87%
Published
2007-08-28
Updated
2018-10-15
fetchmail before 6.3.6-rc4 does not properly enforce TLS and may transmit cleartext passwords over unsecured links if certain circumstances occur, which allows remote attackers to obtain sensitive information via man-in-the-middle (MITM) attacks.
Max CVSS
7.8
EPSS Score
10.74%
Published
2006-12-31
Updated
2018-10-17
Buffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows remote POP3 servers to cause a denial of service and possibly execute arbitrary code via long UIDL responses. NOTE: a typo in an advisory accidentally used the wrong CVE identifier for the Fetchmail issue. This is the correct identifier.
Max CVSS
5.0
EPSS Score
4.84%
Published
2005-07-27
Updated
2018-10-19
Fetchmail 6.2.4 and earlier does not properly allocate memory for long lines, which allows remote attackers to cause a denial of service (crash) via a certain email.
Max CVSS
5.0
EPSS Score
3.55%
Published
2003-11-17
Updated
2017-07-11
Heap-based buffer overflow in Fetchmail 6.1.3 and earlier does not account for the "@" character when determining buffer lengths for local addresses, which allows remote attackers to execute arbitrary code via a header with a large number of local addresses.
Max CVSS
7.5
EPSS Score
30.55%
Published
2002-12-23
Updated
2018-05-03
The getmxrecord function in Fetchmail 6.0.0 and earlier does not properly check the boundary of a particular malformed DNS packet from a malicious DNS server, which allows remote attackers to cause a denial of service (crash) when Fetchmail attempts to read data beyond the expected boundary.
Max CVSS
5.0
EPSS Score
2.79%
Published
2002-10-11
Updated
2016-10-18
Buffer overflows in Fetchmail 6.0.0 and earlier allow remote attackers to cause a denial of service (crash) or execute arbitrary code via (1) long headers that are not properly processed by the readheaders function, or (2) via long Received: headers, which are not properly parsed by the parse_received function.
Max CVSS
7.5
EPSS Score
11.80%
Published
2002-10-11
Updated
2016-10-18
fetchmail email client before 5.9.10 does not properly limit the maximum number of messages available, which allows a remote IMAP server to overwrite memory via a message count that exceeds the boundaries of an array.
Max CVSS
5.0
EPSS Score
0.23%
Published
2002-06-25
Updated
2011-02-15
fetchmailconf in fetchmail before 5.7.4 allows local users to overwrite files of other users via a symlink attack on temporary files.
Max CVSS
2.1
EPSS Score
0.04%
Published
2001-09-06
Updated
2011-02-16
Fetchmail (aka fetchmail-ssl) before 5.8.17 allows a remote malicious (1) IMAP server or (2) POP/POP3 server to overwrite arbitrary memory and possibly gain privileges via a negative index number as part of a response to a LIST request.
Max CVSS
10.0
EPSS Score
1.24%
Published
2001-08-31
Updated
2011-02-16
A buffer overflow in Linux fetchmail before 5.8.6 allows remote attackers to execute arbitrary code via a large 'To:' field in an email header.
Max CVSS
7.5
EPSS Score
9.56%
Published
2001-12-06
Updated
2017-10-10
Vulnerability in fetchmail 5.5.0-2 and earlier in the AUTHENTICATE GSSAPI command.
Max CVSS
10.0
EPSS Score
1.39%
Published
2001-02-12
Updated
2017-12-19
16 vulnerabilities found