First published: Thu Dec 24 2020(Updated: )
smtpd/lka_filter.c in OpenSMTPD before 6.8.0p1, in certain configurations, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted pattern of client activity, because the filter state machine does not properly maintain the I/O channel between the SMTP engine and the filters layer.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Opensmtpd Opensmtpd | <6.8.0 | |
Opensmtpd Opensmtpd | =6.8.0 | |
Opensmtpd Opensmtpd | =6.8.0-patch1-rc1 | |
Fedoraproject Fedora | =32 | |
Fedoraproject Fedora | =33 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-35680 is a vulnerability in OpenSMTPD before 6.8.0p1 that can allow remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted pattern of client activity.
CVE-2020-35680 can cause a denial of service in OpenSMTPD, leading to a crash of the daemon.
The severity of CVE-2020-35680 is high, with a CVSS score of 7.5.
OpenSMTPD versions before 6.8.0p1 are affected by CVE-2020-35680.
To fix CVE-2020-35680, it is recommended to update to OpenSMTPD 6.8.0p1 or later.