{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-25T15:07:03", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.fetchmail.info/security.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.openwall.com/lists/oss-security/2021/07/28/5"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.fetchmail.info/fetchmail-SA-2021-01.txt"}, {"name": "[oss-security] 20210809 fetchmail 6.4.21 released/regression fix for 6.4.20's security fix, and UPDATE: fetchmail <= 6.4.19 security announcement 2021-01 (CVE-2021-36386)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/08/09/1"}, {"name": "FEDORA-2021-47893f53ed", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OIXKO6QW3AUHGJVWKJXBCOVBYJUJRBFC/"}, {"name": "FEDORA-2021-b904d99ce5", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGYO5AHSXTCKA4NQC2Z4H3XMMYNAGC77/"}, {"name": "GLSA-202209-14", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202209-14"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-36386", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.fetchmail.info/security.html", "refsource": "MISC", "url": "https://www.fetchmail.info/security.html"}, {"name": "http://www.openwall.com/lists/oss-security/2021/07/28/5", "refsource": "MISC", "url": "http://www.openwall.com/lists/oss-security/2021/07/28/5"}, {"name": "https://www.fetchmail.info/fetchmail-SA-2021-01.txt", "refsource": "CONFIRM", "url": "https://www.fetchmail.info/fetchmail-SA-2021-01.txt"}, {"name": "[oss-security] 20210809 fetchmail 6.4.21 released/regression fix for 6.4.20's security fix, and UPDATE: fetchmail <= 6.4.19 security announcement 2021-01 (CVE-2021-36386)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/08/09/1"}, {"name": "FEDORA-2021-47893f53ed", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OIXKO6QW3AUHGJVWKJXBCOVBYJUJRBFC/"}, {"name": "FEDORA-2021-b904d99ce5", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGYO5AHSXTCKA4NQC2Z4H3XMMYNAGC77/"}, {"name": "GLSA-202209-14", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202209-14"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T00:54:51.476Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.fetchmail.info/security.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/07/28/5"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.fetchmail.info/fetchmail-SA-2021-01.txt"}, {"name": "[oss-security] 20210809 fetchmail 6.4.21 released/regression fix for 6.4.20's security fix, and UPDATE: fetchmail <= 6.4.19 security announcement 2021-01 (CVE-2021-36386)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/08/09/1"}, {"name": "FEDORA-2021-47893f53ed", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OIXKO6QW3AUHGJVWKJXBCOVBYJUJRBFC/"}, {"name": "FEDORA-2021-b904d99ce5", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGYO5AHSXTCKA4NQC2Z4H3XMMYNAGC77/"}, {"name": "GLSA-202209-14", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202209-14"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-36386", "datePublished": "2021-07-29T13:59:24", "dateReserved": "2021-07-12T00:00:00", "dateUpdated": "2024-08-04T00:54:51.476Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fetchmail:fetchmail:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F3BEF4E-E90A-482F-AFC9-C0CE0619ACB1", "versionEndExcluding": "6.4.20", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user."}, {"lang": "es", "value": "Una funci\u00f3n report_vbuild en el archivo report.c en Fetchmail versiones anteriores a 6.4.20, a veces omite la inicializaci\u00f3n del argumento vsnprintf va_list, lo que podr\u00eda permitir a servidores de correo causar una denegaci\u00f3n de servicio o posiblemente tener otro impacto no especificado por medio de largos mensajes de error. NOTA: no est\u00e1 claro si el uso de Fetchmail en cualquier plataforma realista presenta un impacto m\u00e1s all\u00e1 de un inconveniente para el usuario cliente"}], "id": "CVE-2021-36386", "lastModified": "2024-11-21T06:13:39.480", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-07-30T14:15:18.140", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/07/28/5"}, {"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2021/08/09/1"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGYO5AHSXTCKA4NQC2Z4H3XMMYNAGC77/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OIXKO6QW3AUHGJVWKJXBCOVBYJUJRBFC/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202209-14"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.fetchmail.info/fetchmail-SA-2021-01.txt"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.fetchmail.info/security.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/07/28/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2021/08/09/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGYO5AHSXTCKA4NQC2Z4H3XMMYNAGC77/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OIXKO6QW3AUHGJVWKJXBCOVBYJUJRBFC/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202209-14"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.fetchmail.info/fetchmail-SA-2021-01.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.fetchmail.info/security.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-909"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:1964", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "fetchmail-0:6.4.24-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-10T00:00:00Z"}], "bugzilla": {"description": "fetchmail: DoS or information disclosure when logging long messages", "id": "1987766", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1987766"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-665", "details": ["report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user.", "A flaw was found in fetchmail. The flaw lies in how fetchmail when running in verbose mode using the -v flag tries to log long messages that are created from long headers. An attacker could potentially use this flaw to cause a Denial of Service attack or crash. The highest threat from this vulnerability is to data availability. This flaw was earlier identified by CVE-2008-2711 and fixed, however it recently got reintroduced due to a code refactoring issue. The current bug fix applies a different approach than the earlier one."], "name": "CVE-2021-36386", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "fetchmail", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "fetchmail", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "fetchmail", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2021-07-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-36386\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-36386\nhttps://www.fetchmail.info/fetchmail-SA-2021-01.txt"], "threat_severity": "Moderate"}