CVE-2017-14230: Input Validation

Q: What is the severity of CVE-2017-14230?

CVE-2017-14230 has a medium severity level due to its potential for information disclosure and denial of service.

Q: How do I fix CVE-2017-14230?

To fix CVE-2017-14230, upgrade to Cyrus IMAP version 3.0.4 or later.

Q: What does CVE-2017-14230 affect?

CVE-2017-14230 affects Cyrus IMAP versions prior to 3.0.4.

Q: What type of vulnerability is CVE-2017-14230?

CVE-2017-14230 is an off-by-one error vulnerability that can lead to the use of uninitialized memory.

Q: Can CVE-2017-14230 be exploited remotely?

Yes, CVE-2017-14230 can potentially be exploited by remote attackers to obtain sensitive information.

Published Sep 10, 2017

Updated

In the mboxlistdofind function in imap/mboxlist.c in Cyrus IMAP before 3.0.4, an off-by-one error in prefix calculation for the LIST command caused use of uninitialized memory, which might allow remote attackers to obtain sensitive information or cause a denial of service (daemon crash) via a 'LIST "" "Other Users"' command.

Affected Software

1 affected component

Cyrus IMAP<=3.0.3

Remediation

Patch Available

https://github.com/cyrusimap/cyrus-imapd/commit/6bd33275368edfa71ae117de895488584678ac79

Event History

Sep 10, 2017

CVE Published

via MITRE·07:00 AM

Data Sourced

via MITRE·07:00 AM

Description

Frequently Asked Questions

What is the severity of CVE-2017-14230?

CVE-2017-14230 has a medium severity level due to its potential for information disclosure and denial of service.

How do I fix CVE-2017-14230?

To fix CVE-2017-14230, upgrade to Cyrus IMAP version 3.0.4 or later.

What does CVE-2017-14230 affect?