CVE-2017-15132

A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion.

Published: Jan 25, 2018
Updated: Apr 13, 2023
CVE: CVE-2017-15132
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-772

Affected Software
References

Software	From	Fixed in
dovecot / dovecot	2.0.0	2.2.33.x
dovecot / dovecot	2.3.0	2.3.0.x
debian / debian_linux	8.0	8.0.x
debian / debian_linux	7.0	7.0.x
debian / debian_linux	9.0	9.0.x
canonical / ubuntu_linux	16.04	16.04.x
canonical / ubuntu_linux	14.04	14.04.x
canonical / ubuntu_linux	12.04	12.04.x
canonical / ubuntu_linux	17.10	17.10.x

https://bugzilla.redhat.com/show_bug.cgi?id=1532768
https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch
https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html
https://usn.ubuntu.com/3556-1/
https://usn.ubuntu.com/3556-2/
https://www.debian.org/security/2018/dsa-4130
https://www.dovecot.org/list/dovecot-news/2018-February/000370.html

Vulnerability Database

289,697

CVE-2017-15132