Use-After-Free Vulnerability in OpenSMTPD by OpenBSD
CVE-2015-7687

9.8CRITICAL

Key Information:

Vendor
OpenBSD
Status
Opensmtpd
Vendor
CVE Published:
16 October 2017

Summary

An identified use-after-free vulnerability in OpenSMTPD prior to version 5.7.2 allows remote attackers to exploit this weakness. Attackers can craft specific inputs that leverage the req_ca_vrfy_smtp and req_ca_vrfy_mta functions, which can lead to a denial of service through application crashes or even facilitate the execution of arbitrary code. Given the nature of this flaw, it poses significant risks to systems employing OpenSMTPD, necessitating upgrades to mitigate potential threats.

References

http://www.openwall.com/lists/oss-security/2015/10/03/1
mailing-listx_refsource_MLIST
http://lists.fedoraproject.org/pipermail/package-announce...
vendor-advisoryx_refsource_FEDORA
https://www.opensmtpd.org/announces/release-5.7.2.txt
x_refsource_CONFIRM

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.