CVE-2024-28054

HIGH

Amavis <2.12.3, 2.13.x <2.13.1 - Info Disclosure

Title source: llm

Description

Amavis before 2.12.3 and 2.13.x before 2.13.1, in part because of its use of MIME-tools, has an Interpretation Conflict (relative to some mail user agents) when there are multiple boundary parameters in a MIME email message. Consequently, there can be an incorrect check for banned files or malware.

References (10)

[Various Sources] https://gitlab.com/amavis/amavis/-/raw/v2.13.1/README_FILES/README.CVE-2024-28054

View Writeup ZIP pw:eip

[Various Sources] https://lists.amavis.org/pipermail/amavis-users/2024-March/006811.html

[Various Sources] https://metacpan.org/pod/MIME::Tools

[Various Sources] https://www.amavis.org/release-notes.txt

[Issue Tracking] https://gitlab.com/amavis/amavis/-/issues/112

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/6J2MK2CS3KNJOS66QLW2MBJ4PIDLWJP5/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/XQQQQPTZ5JHXTUCYUXZHY6RZJ6VOGOAJ/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6J2MK2CS3KNJOS66QLW2MBJ4PIDLWJP5/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CDF6M3UXP45INVSWB4HXEDZH35CVZIJ4/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQQQQPTZ5JHXTUCYUXZHY6RZJ6VOGOAJ/

Scores

CVSS v3 7.4

EPSS 0.0040

EPSS Percentile 60.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-436

Status published

Published Mar 18, 2024

Tracked Since Feb 18, 2026