CVE-2021-36386
HIGHfetchmail < 6.4.20 - Denial of Service via Long Error Messages
Title source: llmDescription
report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user.
References (7)
Core 7
Core References
Vendor Advisory x_refsource_misc
https://www.fetchmail.info/security.html
Mailing List, Patch, Third Party Advisory x_refsource_misc
http://www.openwall.com/lists/oss-security/2021/07/28/5
Vendor Advisory x_refsource_confirm
https://www.fetchmail.info/fetchmail-SA-2021-01.txt
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/08/09/1
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OIXKO6QW3AUHGJVWKJXBCOVBYJUJRBFC/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGYO5AHSXTCKA4NQC2Z4H3XMMYNAGC77/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202209-14
Scores
CVSS v3
7.5
EPSS
0.0256
EPSS Percentile
83.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-909
Status
published
Products (3)
fedoraproject/fedora
33
fedoraproject/fedora
34
fetchmail/fetchmail
< 6.4.20
Published
Jul 30, 2021
Tracked Since
Feb 18, 2026