CVE-2008-3962 - Vulnerability Details - OpenCVE

The from_format function in ssmtp.c in ssmtp 2.61 and 2.62, in certain configurations, uses uninitialized memory for the From: field of an e-mail message, which might allow remote attackers to obtain sensitive information (memory contents) in opportunistic circumstances by reading a message.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00608.

Key SSVC decision points have not yet been added.

Vendors	Products
Ssmtp	Ssmtp

Configuration 1 [-]

OR	cpe:2.3:a:ssmtp:ssmtp:2.61:::::::*
	cpe:2.3:a:ssmtp:ssmtp:2.62:::::::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2008-3947	The from_format function in ssmtp.c in ssmtp 2.61 and 2.62, in certain configurations, uses uninitialized memory for the From: field of an e-mail message, which might allow remote attackers to obtain sensitive information (memory contents) in opportunistic circumstances by reading a message.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2008/09/09/5
http://www.openwall.com/lists/oss-security/2008/09/09/6
http://www.openwall.com/lists/oss-security/2008/09/11/2
http://www.securityfocus.com/bid/31094
http://www.vupen.com/english/advisories/2008/2597
https://bugs.gentoo.org/234391
https://exchange.xforce.ibmcloud.com/vulnerabilities/45038

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2008-09-10T15:00:00

Updated: 2024-08-07T10:00:42.265Z

Reserved: 2008-09-09T00:00:00

Link: CVE-2008-3962

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2008-09-11T01:13:47.587

Modified: 2025-04-09T00:30:58.490

Link: CVE-2008-3962

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-09-09T00:00:00", "descriptions": [{"lang": "en", "value": "The from_format function in ssmtp.c in ssmtp 2.61 and 2.62, in certain configurations, uses uninitialized memory for the From: field of an e-mail message, which might allow remote attackers to obtain sensitive information (memory contents) in opportunistic circumstances by reading a message."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-07T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "ADV-2008-2597", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/2597"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.gentoo.org/234391"}, {"name": "ssmtp-fromformat-information-disclosure(45038)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45038"}, {"name": "[oss-security] 20080911 Re: ssmtp =2.62 unitialized memory disclosure", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2008/09/11/2"}, {"name": "[oss-security] 20080909 Re: ssmtp =2.62 unitialized memory disclosure", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2008/09/09/6"}, {"name": "[oss-security] 20080909 ssmtp =2.62 unitialized memory disclosure", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2008/09/09/5"}, {"name": "31094", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/31094"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-3962", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The from_format function in ssmtp.c in ssmtp 2.61 and 2.62, in certain configurations, uses uninitialized memory for the From: field of an e-mail message, which might allow remote attackers to obtain sensitive information (memory contents) in opportunistic circumstances by reading a message."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "ADV-2008-2597", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/2597"}, {"name": "https://bugs.gentoo.org/234391", "refsource": "CONFIRM", "url": "https://bugs.gentoo.org/234391"}, {"name": "ssmtp-fromformat-information-disclosure(45038)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45038"}, {"name": "[oss-security] 20080911 Re: ssmtp =2.62 unitialized memory disclosure", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2008/09/11/2"}, {"name": "[oss-security] 20080909 Re: ssmtp =2.62 unitialized memory disclosure", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2008/09/09/6"}, {"name": "[oss-security] 20080909 ssmtp =2.62 unitialized memory disclosure", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2008/09/09/5"}, {"name": "31094", "refsource": "BID", "url": "http://www.securityfocus.com/bid/31094"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T10:00:42.265Z"}, "title": "CVE Program Container", "references": [{"name": "ADV-2008-2597", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/2597"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.gentoo.org/234391"}, {"name": "ssmtp-fromformat-information-disclosure(45038)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45038"}, {"name": "[oss-security] 20080911 Re: ssmtp =2.62 unitialized memory disclosure", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2008/09/11/2"}, {"name": "[oss-security] 20080909 Re: ssmtp =2.62 unitialized memory disclosure", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2008/09/09/6"}, {"name": "[oss-security] 20080909 ssmtp =2.62 unitialized memory disclosure", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2008/09/09/5"}, {"name": "31094", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/31094"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-3962", "datePublished": "2008-09-10T15:00:00", "dateReserved": "2008-09-09T00:00:00", "dateUpdated": "2024-08-07T10:00:42.265Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ssmtp:ssmtp:2.61:*:*:*:*:*:*:*", "matchCriteriaId": "E340EC83-0A43-4D94-A938-5D54C0589601", "vulnerable": true}, {"criteria": "cpe:2.3:a:ssmtp:ssmtp:2.62:*:*:*:*:*:*:*", "matchCriteriaId": "19A13D99-C357-4F06-BA4D-A25EF8C0C51B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The from_format function in ssmtp.c in ssmtp 2.61 and 2.62, in certain configurations, uses uninitialized memory for the From: field of an e-mail message, which might allow remote attackers to obtain sensitive information (memory contents) in opportunistic circumstances by reading a message."}, {"lang": "es", "value": "La funci\u00f3n from_format en el archivo ssmtp.c en ssmtp versiones 2.61 y 2.62, en determinadas configuraciones, utiliza memoria no inicializada para el campo From: de un mensaje de correo electr\u00f3nico, lo que podr\u00eda permitir a los atacantes remotos obtener informaci\u00f3n confidencial (contenido de memoria) en circunstancias oportunistas mediante la lectura de un mensaje."}], "id": "CVE-2008-3962", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2008-09-11T01:13:47.587", "references": [{"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2008/09/09/5"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2008/09/09/6"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2008/09/11/2"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/31094"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2008/2597"}, {"source": "cve@mitre.org", "url": "https://bugs.gentoo.org/234391"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45038"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2008/09/09/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2008/09/09/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2008/09/11/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/31094"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2008/2597"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugs.gentoo.org/234391"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45038"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}