CVE-2008-2711

Current Description

fetchmail 6.3.8 and earlier, when running in -v -v (aka verbose) mode, allows remote attackers to cause a denial of service (crash and persistent mail failure) via a malformed mail message with long headers, which triggers an erroneous dereference when using vsnprintf to format log messages.

Basic Data

PublishedJune 16, 2008
Last ModifiedOctober 11, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-20
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score4.3
SeverityMEDIUM
Exploitability Score8.6
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationFetchmailFetchmail4.5.1*******
    2.3ApplicationFetchmailFetchmail4.5.2*******
    2.3ApplicationFetchmailFetchmail4.5.3*******
    2.3ApplicationFetchmailFetchmail4.5.4*******
    2.3ApplicationFetchmailFetchmail4.5.5*******
    2.3ApplicationFetchmailFetchmail4.5.6*******
    2.3ApplicationFetchmailFetchmail4.5.7*******
    2.3ApplicationFetchmailFetchmail4.5.8*******
    2.3ApplicationFetchmailFetchmail4.6.0*******
    2.3ApplicationFetchmailFetchmail4.6.1*******
    2.3ApplicationFetchmailFetchmail4.6.2*******
    2.3ApplicationFetchmailFetchmail4.6.3*******
    2.3ApplicationFetchmailFetchmail4.6.4*******
    2.3ApplicationFetchmailFetchmail4.6.5*******
    2.3ApplicationFetchmailFetchmail4.6.6*******
    2.3ApplicationFetchmailFetchmail4.6.7*******
    2.3ApplicationFetchmailFetchmail4.6.8*******
    2.3ApplicationFetchmailFetchmail4.6.9*******
    2.3ApplicationFetchmailFetchmail4.7.0*******
    2.3ApplicationFetchmailFetchmail4.7.1*******
    2.3ApplicationFetchmailFetchmail4.7.2*******
    2.3ApplicationFetchmailFetchmail4.7.3*******
    2.3ApplicationFetchmailFetchmail4.7.4*******
    2.3ApplicationFetchmailFetchmail4.7.5*******
    2.3ApplicationFetchmailFetchmail4.7.6*******
    2.3ApplicationFetchmailFetchmail4.7.7*******
    2.3ApplicationFetchmailFetchmail5.0.0*******
    2.3ApplicationFetchmailFetchmail5.0.1*******
    2.3ApplicationFetchmailFetchmail5.0.2*******
    2.3ApplicationFetchmailFetchmail5.0.3*******
    2.3ApplicationFetchmailFetchmail5.0.4*******
    2.3ApplicationFetchmailFetchmail5.0.5*******
    2.3ApplicationFetchmailFetchmail5.0.6*******
    2.3ApplicationFetchmailFetchmail5.0.7*******
    2.3ApplicationFetchmailFetchmail5.0.8*******
    2.3ApplicationFetchmailFetchmail5.1.0*******
    2.3ApplicationFetchmailFetchmail5.1.4*******
    2.3ApplicationFetchmailFetchmail5.2.0*******
    2.3ApplicationFetchmailFetchmail5.2.1*******
    2.3ApplicationFetchmailFetchmail5.2.3*******
    2.3ApplicationFetchmailFetchmail5.2.4*******
    2.3ApplicationFetchmailFetchmail5.2.7*******
    2.3ApplicationFetchmailFetchmail5.2.8*******
    2.3ApplicationFetchmailFetchmail5.3.0*******
    2.3ApplicationFetchmailFetchmail5.3.1*******
    2.3ApplicationFetchmailFetchmail5.3.3*******
    2.3ApplicationFetchmailFetchmail5.3.8*******
    2.3ApplicationFetchmailFetchmail5.4.0*******
    2.3ApplicationFetchmailFetchmail5.4.3*******
    2.3ApplicationFetchmailFetchmail5.4.4*******
    2.3ApplicationFetchmailFetchmail5.4.5*******
    2.3ApplicationFetchmailFetchmail5.5.0*******
    2.3ApplicationFetchmailFetchmail5.5.2*******
    2.3ApplicationFetchmailFetchmail5.5.3*******
    2.3ApplicationFetchmailFetchmail5.5.5*******
    2.3ApplicationFetchmailFetchmail5.5.6*******
    2.3ApplicationFetchmailFetchmail5.6.0*******
    2.3ApplicationFetchmailFetchmail5.7.0*******
    2.3ApplicationFetchmailFetchmail5.7.2*******
    2.3ApplicationFetchmailFetchmail5.7.4*******
    2.3ApplicationFetchmailFetchmail5.8*******
    2.3ApplicationFetchmailFetchmail5.8.1*******
    2.3ApplicationFetchmailFetchmail5.8.2*******
    2.3ApplicationFetchmailFetchmail5.8.3*******
    2.3ApplicationFetchmailFetchmail5.8.4*******
    2.3ApplicationFetchmailFetchmail5.8.5*******
    2.3ApplicationFetchmailFetchmail5.8.6*******
    2.3ApplicationFetchmailFetchmail5.8.11*******
    2.3ApplicationFetchmailFetchmail5.8.13*******
    2.3ApplicationFetchmailFetchmail5.8.14*******
    2.3ApplicationFetchmailFetchmail5.8.17*******
    2.3ApplicationFetchmailFetchmail5.9.0*******
    2.3ApplicationFetchmailFetchmail5.9.4*******
    2.3ApplicationFetchmailFetchmail5.9.5*******
    2.3ApplicationFetchmailFetchmail5.9.8*******
    2.3ApplicationFetchmailFetchmail5.9.10*******
    2.3ApplicationFetchmailFetchmail5.9.11*******
    2.3ApplicationFetchmailFetchmail5.9.13*******
    2.3ApplicationFetchmailFetchmail6.0.0*******
    2.3ApplicationFetchmailFetchmail6.1.0*******
    2.3ApplicationFetchmailFetchmail6.1.3*******
    2.3ApplicationFetchmailFetchmail6.2.0*******
    2.3ApplicationFetchmailFetchmail6.2.1*******
    2.3ApplicationFetchmailFetchmail6.2.2*******
    2.3ApplicationFetchmailFetchmail6.2.3*******
    2.3ApplicationFetchmailFetchmail6.2.4*******
    2.3ApplicationFetchmailFetchmail6.2.5*******
    2.3ApplicationFetchmailFetchmail6.2.5.1*******
    2.3ApplicationFetchmailFetchmail6.2.5.2*******
    2.3ApplicationFetchmailFetchmail6.2.5.4*******
    2.3ApplicationFetchmailFetchmail6.2.6pre4******
    2.3ApplicationFetchmailFetchmail6.2.6pre8******
    2.3ApplicationFetchmailFetchmail6.2.6pre9******
    2.3ApplicationFetchmailFetchmail6.2.9rc10******
    2.3ApplicationFetchmailFetchmail6.2.9rc3******
    2.3ApplicationFetchmailFetchmail6.2.9rc4******
    2.3ApplicationFetchmailFetchmail6.2.9rc5******
    2.3ApplicationFetchmailFetchmail6.2.9rc7******
    2.3ApplicationFetchmailFetchmail6.2.9rc8******
    2.3ApplicationFetchmailFetchmail6.2.9rc9******
    2.3ApplicationFetchmailFetchmail6.3.0*******
    2.3ApplicationFetchmailFetchmail6.3.1*******
    2.3ApplicationFetchmailFetchmail6.3.2*******
    2.3ApplicationFetchmailFetchmail6.3.3*******
    2.3ApplicationFetchmailFetchmail6.3.4*******
    2.3ApplicationFetchmailFetchmail6.3.5*******
    2.3ApplicationFetchmailFetchmail6.3.6*******
    2.3ApplicationFetchmailFetchmail6.3.6rc1******
    2.3ApplicationFetchmailFetchmail6.3.6rc2******
    2.3ApplicationFetchmailFetchmail6.3.6rc3******
    2.3ApplicationFetchmailFetchmail6.3.6rc4******
    2.3ApplicationFetchmailFetchmail6.3.6rc5******
    2.3ApplicationFetchmailFetchmail6.3.7*******
    2.3ApplicationFetchmailFetchmail********6.3.8

Vulnerable Software List

VendorProductVersions
Fetchmail Fetchmail *, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.5.7, 4.5.8, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 4.6.6, 4.6.7, 4.6.8, 4.6.9, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.1.0, 5.1.4, 5.2.0, 5.2.1, 5.2.3, 5.2.4, 5.2.7, 5.2.8, 5.3.0, 5.3.1, 5.3.3, 5.3.8, 5.4.0, 5.4.3, 5.4.4, 5.4.5, 5.5.0, 5.5.2, 5.5.3, 5.5.5, 5.5.6, 5.6.0, 5.7.0, 5.7.2, 5.7.4, 5.8, 5.8.1, 5.8.11, 5.8.13, 5.8.14, 5.8.17, 5.8.2, 5.8.3, 5.8.4, 5.8.5, 5.8.6, 5.9.0, 5.9.10, 5.9.11, 5.9.13, 5.9.4, 5.9.5, 5.9.8, 6.0.0, 6.1.0, 6.1.3, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.5.1, 6.2.5.2, 6.2.5.4, 6.2.6, 6.2.9, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7

References

NameSourceURLTags
APPLE-SA-2009-02-12http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.htmlAPPLE
30742http://secunia.com/advisories/30742SECUNIAVendor Advisory
30895http://secunia.com/advisories/30895SECUNIAVendor Advisory
31262http://secunia.com/advisories/31262SECUNIAVendor Advisory
31287http://secunia.com/advisories/31287SECUNIAVendor Advisory
33937http://secunia.com/advisories/33937SECUNIAVendor Advisory
SSA:2008-210-01http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.495740SLACKWARE
http://support.apple.com/kb/HT3438http://support.apple.com/kb/HT3438CONFIRM
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0235http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0235CONFIRM
http://www.fetchmail.info/fetchmail-SA-2008-01.txthttp://www.fetchmail.info/fetchmail-SA-2008-01.txtCONFIRM
MDVSA-2008:117http://www.mandriva.com/security/advisories?name=MDVSA-2008:117MANDRIVA
[oss-security] 20080613 CVE Id Request: fetchmail <= 6.3.8 DoS when logging long headers in -v -v modehttp://www.openwall.com/lists/oss-security/2008/06/13/1MLIST
20080617 fetchmail security announcement fetchmail-SA-2008-01 (CVE-2008-2711)http://www.securityfocus.com/archive/1/493391/100/0/threadedBUGTRAQ
20080729 rPSA-2008-0235-1 fetchmail fetchmailconfhttp://www.securityfocus.com/archive/1/494865/100/0/threadedBUGTRAQ
29705http://www.securityfocus.com/bid/29705BID
1020298http://www.securitytracker.com/id?1020298SECTRACK
ADV-2008-1860http://www.vupen.com/english/advisories/2008/1860/referencesVUPEN
ADV-2009-0422http://www.vupen.com/english/advisories/2009/0422VUPEN
https://bugzilla.novell.com/show_bug.cgi?id=354291https://bugzilla.novell.com/show_bug.cgi?id=354291MISC
fetchmail-logmessage-dos(43121)https://exchange.xforce.ibmcloud.com/vulnerabilities/43121XF
https://issues.rpath.com/browse/RPL-2623https://issues.rpath.com/browse/RPL-2623CONFIRM
oval:org.mitre.oval:def:10950https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10950OVAL
FEDORA-2008-5789https://www.redhat.com/archives/fedora-package-announce/2008-June/msg01091.htmlFEDORA
FEDORA-2008-5800https://www.redhat.com/archives/fedora-package-announce/2008-June/msg01095.htmlFEDORA