Large Headers Can Cause Resource Exhaustion
CVE-2024-23185

7.5HIGH

Key Information:

Vendor: Open-xchange Gmbh
Status: Ox Dovecot Pro
Vendor: CVE Published:; 10 September 2024

🔔 Create Open-xchange Gmbh Vulnerability Alert

What is CVE-2024-23185?

A vulnerability exists in the Dovecot email server where very large headers can lead to resource exhaustion when messages are parsed. The message-parser typically processes reasonably sized chunks of data, but it builds the 'full_value' buffer from these chunks without any size constraints. This lack of limitation means that excessively large headers can significantly increase memory usage. Although such headers may not typically be a vector for direct denial of service attacks against a user due to incoming mail size limits imposed by Mail Transfer Agents (MTAs), users can inadvertently affect their own services by appending large mails. This issue, present in all versions of Dovecot, prompts the need for implemented restrictions on header sizes at the MTA level to mitigate potential problems.

Affected Version(s)

OX Dovecot Pro 0 <= 2.3.21

References

https://documentation.open-xchange.com/dovecot/security/a...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 10, 2024
Vulnerability Reserved
Jan 12, 2024