CVE-2021-33582

2021-09-0106:15:06

Debian Security Bug Tracker

security-tracker.debian.org

cyrus imap

denial of service

fix

hash table

interaction

remote attackers

3.4.2

3.2.8

3.0.16

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.005

Percentile

77.4%

JSON

Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3.0.16.

OSVersionArchitecturePackageVersionFilename
Debian12allcyrus-imapd< 3.4.2-1cyrus-imapd_3.4.2-1_all.deb
Debian11allcyrus-imapd< 3.2.6-2+deb11u1cyrus-imapd_3.2.6-2+deb11u1_all.deb
Debian999allcyrus-imapd< 3.4.2-1cyrus-imapd_3.4.2-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	cyrus-imapd	< 3.4.2-1	cyrus-imapd_3.4.2-1_all.deb
Debian	11	all	cyrus-imapd	< 3.2.6-2+deb11u1	cyrus-imapd_3.2.6-2+deb11u1_all.deb
Debian	999	all	cyrus-imapd	< 3.4.2-1	cyrus-imapd_3.4.2-1_all.deb