CVE-2024-34055
First published: Wed Jun 05 2024(Updated: )
Cyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows authenticated attackers to cause unbounded memory allocation by sending many LITERALs in a single command.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/cyrus imap | <3.8.3 | 3.8.3 |
| redhat/cyrus imap | <3.10.0 | 3.10.0 |
| debian/cyrus-imapd | <=3.2.6-2+deb11u2<=3.2.6-2+deb11u4 | 3.6.1-4+deb12u3 3.6.1-4+deb12u2 3.10.1-1 |
| Cyrus SASL | <3.8.3 | |
| Cyrus SASL | =3.10.0-alpha0 | |
| Cyrus SASL | =3.10.0-beta1 | |
| Cyrus SASL | =3.10.0-beta2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/cyrusimap/cyrus-imapd/commit/ef9e4e8314d6a06f2269af0ccf606894cc3fe489
- https://www.cyrusimap.org/dev/imap/download/release-notes/3.10/x/3.10.0-rc1.html
- https://www.cyrusimap.org/imap/download/release-notes/3.8/x/3.8.3.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2290512
- https://access.redhat.com/errata/RHSA-2024:9195
- https://bugzilla.redhat.com/show_bug.cgi?id=2290510
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJZQAE3XC2GBCE5KSTWJ5A6QYANFWGFB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WVZHUZDU4MGTTZJRNACTMSKXLNMMRLJ6/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34055
- https://nvd.nist.gov/vuln/detail/CVE-2024-34055
- https://launchpad.net/bugs/cve/CVE-2024-34055
- https://security-tracker.debian.org/tracker/CVE-2024-34055
- https://ubuntu.com/security/CVE-2024-34055
- https://cyrus.topicbox.com/groups/announce/Ta8e3998446caf7f8/cyrus-imap-3-8-3-3-6-5-and-3-4-8-released
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WVZHUZDU4MGTTZJRNACTMSKXLNMMRLJ6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CJZQAE3XC2GBCE5KSTWJ5A6QYANFWGFB/
Frequently Asked Questions
What is the severity of CVE-2024-34055?
CVE-2024-34055 has a high severity rating due to the potential for unbounded memory allocation leading to denial of service.
How do I fix CVE-2024-34055?
To fix CVE-2024-34055, upgrade to Cyrus IMAP version 3.8.3 or 3.10.0-rc1 or later.
What impact does CVE-2024-34055 have on my system?
CVE-2024-34055 allows authenticated attackers to exploit the vulnerability to exhaust system memory, potentially causing service disruptions.
What versions of Cyrus IMAP are affected by CVE-2024-34055?
CVE-2024-34055 affects Cyrus IMAP versions before 3.8.3 and 3.10.x before 3.10.0-rc1.
Who is vulnerable to CVE-2024-34055?
Authenticated users of Cyrus IMAP versions before 3.8.3 and 3.10.x before 3.10.0-rc1 are vulnerable to CVE-2024-34055.
- agent/type
- agent/remedy
- agent/weakness
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-34055
- agent/software-canonical-lookup
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/author
- collector/launchpad-cve
- source/Launchpad
- agent/source
- agent/references
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- agent/softwarecombine
- agent/trending
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-api
- package-manager/redhat
- package-manager/debian
- vendor/cyrusimap
- canonical/cyrus sasl
- version/cyrus sasl/3.10.0-alpha0
- version/cyrus sasl/3.10.0-beta1
- version/cyrus sasl/3.10.0-beta2