Vulnerability CVE-2021-36386

Vulnerability Name:

CVE-2021-36386 (CCN-206474)

Assigned:

2021-07-28

Published:

2021-07-28

Updated:

2022-10-28

Summary:

report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages.
Note: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-909
CWE-665

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2021-36386

Source: MISC
Type: Mailing List, Patch, Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/07/28/5

Source: MLIST
Type: Mailing List
[oss-security] 20210809 fetchmail 6.4.21 released/regression fix for 6.4.20's security fix, and UPDATE: fetchmail <= 6.4.19 security announcement 2021-01 (CVE-2021-36386)

Source: XF
Type: UNKNOWN
fetchmail-cve202136386-dos(206474)

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-b904d99ce5

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-47893f53ed

Source: GENTOO
Type: Third Party Advisory
GLSA-202209-14

Source: CCN
Type: Sourceforge Web site
Fetchmail

Source: CCN
Type: Fetchmail Web site
fetchmail-SA-2021-01: DoS or information disclosure logging long messages

Source: CONFIRM
Type: Vendor Advisory
https://www.fetchmail.info/fetchmail-SA-2021-01.txt

Source: MISC
Type: Vendor Advisory
https://www.fetchmail.info/security.html

Source: CCN
Type: oss-sec Mailing List, Wed, 28 Jul 2021 23:27:00 +0200
fetchmail 6.4.20 released. DoS or information disclosure in some configurations

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-36386

Vulnerable Configuration:

Configuration 1:

cpe:/a:fetchmail:fetchmail:*:*:*:*:*:*:*:* (Version < 6.4.20)

Configuration 2:

cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7882	P	fetchmailconf-6.4.22-20.26.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:7493	P	fetchmail-6.4.22-20.26.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:51940	P	Security update for libtasn1 (Critical)	2022-10-26
oval:org.opensuse.security:def:755	P	Security update for freetype2 (Moderate)	2022-09-12
oval:org.opensuse.security:def:3656	P	Security update for xen (Important)	2022-07-29
oval:org.opensuse.security:def:3733	P	ovmf-2017+git1510945757.b2662641d5-3.16.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3265	P	libtasn1-4.9-3.10.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3469	P	davfs2-1.5.2-2.3 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3548	P	libQt5Concurrent5-5.6.2-6.15.2 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94792	P	python3-CherryPy-18.3.0-1.31 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94548	P	fetchmail-6.4.22-20.26.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94819	P	rpm-32bit-4.14.3-150300.46.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94581	P	hunspell-1.6.2-3.8.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94895	P	fetchmailconf-6.4.22-20.26.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:2918	P	fetchmail-6.4.22-20.26.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94660	P	libmarkdown2-2.2.4-1.41 on GA media (Moderate)	2022-06-22
oval:com.redhat.rhsa:def:20221964	P	RHSA-2022:1964: fetchmail security update (Moderate)	2022-05-10
oval:org.opensuse.security:def:100090	P	(Important)	2022-03-07
oval:org.opensuse.security:def:112218	P	fetchmail-6.4.21-2.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:93119	P	(Important)	2021-12-22
oval:org.opensuse.security:def:111172	P	Security update for fetchmail (Moderate)	2021-12-17
oval:org.opensuse.security:def:69771	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:9631	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:832	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:105876	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:101532	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:70331	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:98991	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:10191	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:106756	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:64637	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:101743	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:111833	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:4239	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:92041	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:99381	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:73759	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:117553	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:108198	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:65263	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:106071	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:8880	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:92431	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:99779	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:74331	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:69577	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:9437	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:92829	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:101373	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:69970	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:9830	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:1052	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:106270	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:101563	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:4174	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:70521	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:99186	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:10381	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:108039	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:64822	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:105681	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:8690	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:92236	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:99580	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:73944	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:117712	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:65328	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:106469	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:9075	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:92630	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:74396	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:100028	P	(Important)	2021-12-06
oval:org.opensuse.security:def:93272	P	(Important)	2021-12-01
oval:org.opensuse.security:def:105749	P	fetchmail-6.4.21-2.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:101505	P	Security update for wireshark (Moderate)	2021-09-13
oval:org.opensuse.security:def:43278	P	Security update for fetchmail (Moderate)	2021-08-31
oval:org.opensuse.security:def:44580	P	Security update for fetchmail (Moderate)	2021-08-31
oval:org.opensuse.security:def:38848	P	Security update for fetchmail (Moderate)	2021-08-31
oval:org.opensuse.security:def:40150	P	Security update for fetchmail (Moderate)	2021-08-31
oval:org.opensuse.security:def:111023	P	Security update for fetchmail (Moderate)	2021-08-23
oval:org.opensuse.security:def:73680	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:117474	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:108171	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:65236	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:8822	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:92370	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:99718	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:74304	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:69521	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:9381	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:92768	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:101294	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:69909	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:9769	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:1025	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:101486	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:4147	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:70460	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:99128	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:10320	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:107960	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:64745	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:8637	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:92178	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:99519	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:73867	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:117685	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:65301	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:9017	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:92569	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:74369	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:69710	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:9570	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:92966	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:70275	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:98933	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:10135	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:64558	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:101716	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:111673	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:4212	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:91983	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:99320	P	Security update for fetchmail (Moderate)	2021-08-20
oval:org.opensuse.security:def:30113	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:88487	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:83320	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:59523	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:32981	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:125585	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:23646	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:86131	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:57069	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:30233	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:89178	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:83440	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:59781	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:55232	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:33700	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:126754	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:23952	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:87445	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:57490	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:31246	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:89436	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:84194	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:60334	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:55936	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:33958	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:127151	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:29409	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:88173	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:82616	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:58804	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:51634	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:31667	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:85710	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:56056	P	Security update for fetchmail (Moderate)	2021-08-18
oval:org.opensuse.security:def:34511	P	Security update for fetchmail (Moderate)	2021-08-18

BACK