CVE-2001-1009

Fetchmail < 5.8.14 - Access Control

Title source: rule

Description

Fetchmail (aka fetchmail-ssl) before 5.8.17 allows a remote malicious (1) IMAP server or (2) POP/POP3 server to overwrite arbitrary memory and possibly gain privileges via a negative index number as part of a response to a LIST request.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Salvatore Sanfilippo -antirez- · cremoteunix

https://www.exploit-db.com/exploits/21064

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Sanfillipo antirez · cremoteunix

https://www.exploit-db.com/exploits/21066

View Code ZIP pw:eip

References (10)

[Vendor Advisory] http://www.novell.com/linux/security/advisories/2001_026_fetchmail_txt.html

[Third Party Advisory] http://www.debian.org/security/2001/dsa-071

[Patch, Vendor Advisory] http://www.redhat.com/support/errata/RHSA-2001-103.html

[Exploit, Patch, Vendor Advisory] http://www.securityfocus.com/bid/3166

[Exploit, Patch, Vendor Advisory] http://archives.neohapsis.com/archives/bugtraq/2001-08/0118.html

[Vendor Advisory] http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000419

[Various Sources] http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-072.php3

[Patch, Vendor Advisory] http://www.linuxsecurity.com/advisories/other_advisory-1555.html

[Exploit, Patch, Vendor Advisory] http://www.securityfocus.com/bid/3164

[Third Party Advisory] http://www.iss.net/security_center/static/6965.php

Scores

EPSS 0.3326

EPSS Percentile 96.9%

Details

CWE

CWE-264

Status published

Products (50)

fetchmail/fetchmail 4.5.1

fetchmail/fetchmail 4.5.2

fetchmail/fetchmail 4.5.3

fetchmail/fetchmail 4.5.4

fetchmail/fetchmail 4.5.5

fetchmail/fetchmail 4.5.6

fetchmail/fetchmail 4.5.7

fetchmail/fetchmail 4.5.8

fetchmail/fetchmail 4.6.0

fetchmail/fetchmail 4.6.1

... and 40 more

Published Aug 31, 2001

Tracked Since Feb 18, 2026