CVE-2021-33582

Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3.0.16.

Published: Sep 1, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-33582
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-327
CWE-407

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
cyrus / imap	-	3.0.16
cyrus / imap	3.2.0	3.2.8
cyrus / imap	3.4.0	3.4.2
fedoraproject / fedora	34	34.x
fedoraproject / fedora	35	35.x
debian / debian_linux	9.0	9.0.x

https://cyrus.topicbox.com/groups/announce/T3dde0a2352462975-M1386fc44adf967e072f8df13/cyrus-imap-3-4-2-3-2-8-and-3-0-16-released
https://github.com/cyrusimap/cyrus-imapd/commits/master
https://github.com/cyrusimap/cyrus-imapd/security/advisories
https://lists.debian.org/debian-lts-announce/2022/06/msg00013.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/6HEO3RURJW6NLIXS7NK5PVU6MGHC4SCM/
https://lists.fedoraproject.org/archives/list/[email protected]/message/WJZB45QBUN7CZFGOWCZYUYACNBTX7LVS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HEO3RURJW6NLIXS7NK5PVU6MGHC4SCM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WJZB45QBUN7CZFGOWCZYUYACNBTX7LVS/
https://www.cyrusimap.org/imap/download/release-notes/index.html

Vulnerability Database

289,599

CVE-2021-33582