CVE-2017-14461: Infoleak
First published: Wed Feb 28 2018(Updated: )
A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server.
Credit: talos-cna@cisco.com talos-cna@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Dovecot Dovecot | =2.2.33.2 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Ubuntu Ubuntu | =14.04 | |
| Ubuntu Ubuntu | =16.04 | |
| Ubuntu Ubuntu | =17.10 | |
| debian/dovecot | 1:2.3.13+dfsg1-2+deb11u1 1:2.3.13+dfsg1-2+deb11u2 1:2.3.19.1+dfsg1-2.1+deb12u1 1:2.3.21.1+dfsg1-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2017-14461
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14461
- https://security-tracker.debian.org/tracker/CVE-2017-15130
- https://security-tracker.debian.org/tracker/CVE-2017-15132
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891819
- http://www.securityfocus.com/bid/103201
- https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html
- https://talosintelligence.com/vulnerability_reports/TALOS-2017-0510
- https://usn.ubuntu.com/3587-1/
- https://usn.ubuntu.com/3587-2/
- https://www.debian.org/security/2018/dsa-4130
- https://www.dovecot.org/list/dovecot-news/2018-February/000370.html
- https://launchpad.net/bugs/cve/CVE-2017-14461
- https://github.com/dovecot/core/commit/30dc856f7b97b75b0e0d69f5003d5d99a13249b4
- https://github.com/dovecot/core/commit/8d65e2345e1dbedb00b662ee0abd05be2e7e6b7e
- https://github.com/dovecot/core/commit/b72d864b8c34cb21076214c0b28101baec530141
- https://github.com/dovecot/core/commit/e9b86842441a668b30796bff7d60828614570a1b
- https://github.com/dovecot/core/commit/f5cd17a27f0b666567747f8c921ebe1026970f11
- https://github.com/dovecot/core/commit/18a7a161c8dae6f630770a3cbab7374a0c3dd732
- https://github.com/dovecot/core/commit/0ed696987e5e5d44e971da2a10f6275b276ece34
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0510
- https://nvd.nist.gov/vuln/detail/CVE-2017-14461
- https://ubuntu.com/security/CVE-2017-14461
Frequently Asked Questions
What is CVE-2017-14461?
CVE-2017-14461 is a vulnerability that allows a specially crafted email to trigger an out of bounds read in Dovecot, potentially resulting in sensitive information disclosure and denial of service.
What is the severity of CVE-2017-14461?
The severity of CVE-2017-14461 is high, with a severity value of 7.1.
How does CVE-2017-14461 affect Dovecot?
CVE-2017-14461 affects Dovecot versions 2.2.33.2 and earlier, as well as some Ubuntu and Debian Linux distributions.
How can an attacker exploit CVE-2017-14461?
An attacker can exploit CVE-2017-14461 by sending a specially crafted email message to the server running Dovecot.
What is the remedy for CVE-2017-14461?
To remedy CVE-2017-14461, it is recommended to update Dovecot to version 2.2.34 or 2.3.0.1, or apply the appropriate security patches provided by the Ubuntu and Debian distributions.
- collector/debian-bugs
- alias/CVE-2017-14461
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/remedy
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/tags
- agent/description
- agent/softwarecombine
- agent/event
- agent/trending
- vendor/dovecot
- canonical/dovecot dovecot
- version/dovecot dovecot/2.2.33.2
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- vendor/ubuntu
- canonical/ubuntu ubuntu
- version/ubuntu ubuntu/14.04
- version/ubuntu ubuntu/16.04
- version/ubuntu ubuntu/17.10
- package-manager/debian