CVE-2017-15130
MEDIUMdovecot < 2.2.34 - Denial of Service via TLS SNI Configuration Lookups
Title source: llmDescription
A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart.
References (7)
Core 7
Core References
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/3587-1/
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://seclists.org/oss-sec/2018/q1/205
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2018/dsa-4130
Vendor Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/3587-2/
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1532356
Release Notes, Vendor Advisory mailing-list
x_refsource_mlist
https://www.dovecot.org/list/dovecot-news/2018-February/000370.html
Scores
CVSS v3
5.9
EPSS
0.0264
EPSS Percentile
83.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-400
Status
published
Products (6)
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
17.10
debian/debian_linux
8.0
debian/debian_linux
9.0
dovecot/dovecot
< 2.2.34
Published
Mar 02, 2018
Tracked Since
Feb 18, 2026