CVE-2021-44143
CRITICALisync 1.4.0-1.4.3 - Remote Code Execution via Crafted IMAP Mail Message
Title source: llmDescription
A flaw was found in mbsync in isync 1.4.0 through 1.4.3. Due to an unchecked condition, a malicious or compromised IMAP server could use a crafted mail message that lacks headers (i.e., one that starts with an empty line) to provoke a heap overflow, which could conceivably be exploited for remote code execution.
References (7)
Core 7
Core References
Third Party Advisory x_refsource_misc
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999804
Third Party Advisory x_refsource_misc
https://sourceforge.net/p/isync/isync/ref/master/tags/
Patch, Third Party Advisory x_refsource_misc
https://sourceforge.net/p/isync/isync/commit_browser
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/12/03/2
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CYZ2GNB4ZO2T27D2XNUWMCS3THZYSJQU/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCBSY7OZ57XNC6ZYXF6WU5KBSWITZVDX/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202208-15
Scores
CVSS v3
9.8
EPSS
0.1026
EPSS Percentile
93.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-787
Status
published
Products (6)
debian/debian_linux
9.0
debian/debian_linux
10.0
debian/debian_linux
11.0
fedoraproject/fedora
34
fedoraproject/fedora
35
isync_project/isync
1.4.0 - 1.4.3
Published
Nov 22, 2021
Tracked Since
Feb 18, 2026