{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23184", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2024-01-12T07:03:12.862Z", "datePublished": "2024-09-10T14:33:34.166Z", "dateUpdated": "2024-09-10T15:34:07.961Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["core"], "product": "OX Dovecot Pro", "vendor": "Open-Xchange GmbH", "versions": [{"lessThanOrEqual": "2.3.21", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "cwe"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2024-09-10T14:33:34.166Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2024/oxdc-adv-2024-0002.json"}], "source": {"defect": "DOV-6464", "discovery": "INTERNAL"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/08/15/3"}, {"url": "http://seclists.org/fulldisclosure/2024/Aug/17"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-10T15:02:54.865Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-10T15:33:58.049882Z", "id": "CVE-2024-23184", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-10T15:34:07.961Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/08/15/3"}, {"url": "http://seclists.org/fulldisclosure/2024/Aug/17"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-10T15:02:54.865Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23184", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:33:58.049882Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-10T15:34:04.350Z"}}], "cna": {"source": {"defect": "DOV-6464", "discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Open-Xchange GmbH", "modules": ["core"], "product": "OX Dovecot Pro", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.3.21"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2024/oxdc-adv-2024-0002.json", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-770", "description": "Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2024-09-10T14:33:34.166Z"}}}, "cveMetadata": {"cveId": "CVE-2024-23184", "state": "PUBLISHED", "dateUpdated": "2024-09-10T15:34:07.961Z", "dateReserved": "2024-01-12T07:03:12.862Z", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "datePublished": "2024-09-10T14:33:34.166Z", "assignerShortName": "OX"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known."}, {"lang": "es", "value": "Tener una gran cantidad de encabezados de direcciones (De, Para, Cc, Cco, etc.) hace que el uso de la CPU sea excesivamente intensivo. Con 100.000 l\u00edneas de encabezado, el uso de la CPU ya es de 12 segundos, y en un entorno de producci\u00f3n observamos que 500.000 l\u00edneas de encabezado tardaban 18 minutos en analizarse. Dado que esto puede ser provocado por actores externos que env\u00edan correos electr\u00f3nicos a una v\u00edctima, se trata de un problema de seguridad. Un atacante externo puede enviar mensajes especialmente manipulados que consumen recursos del sistema de destino y provocan una interrupci\u00f3n del servicio. Se pueden implementar restricciones en los encabezados de direcciones en el componente MTA anterior a Dovecot. No se conocen exploits disponibles p\u00fablicamente."}], "id": "CVE-2024-23184", "lastModified": "2024-11-21T08:57:08.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security@open-xchange.com", "type": "Secondary"}]}, "published": "2024-09-10T15:15:14.763", "references": [{"source": "security@open-xchange.com", "url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2024/oxdc-adv-2024-0002.json"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2024/Aug/17"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/08/15/3"}], "sourceIdentifier": "security@open-xchange.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security@open-xchange.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:6973", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dovecot-1:2.3.16-6.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:6529", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dovecot-1:2.3.16-11.el9_4.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-09-10T00:00:00Z"}, {"advisory": "RHSA-2024:6465", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "dovecot-1:2.3.16-8.el9_2.1", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-09-09T00:00:00Z"}], "bugzilla": {"description": "dovecot: using a large number of address headers may trigger a denial of service", "id": "2305909", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305909"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known.", "A flaw was found in Dovecot. Processing a large number of address headers (From, To, Cc, Bcc, etc) can be excessively CPU intensive. This flaw allows a remote attacker to trigger a denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-23184", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2024-08-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-23184\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-23184"], "statement": "This issue is classified as moderate severity rather than important because, while it can result in significant performance degradation (e.g., high CPU usage and delays in processing emails with an excessive number of address headers), it does not directly compromise the confidentiality, integrity, or availability of the system in a critical way. The vulnerability primarily affects resource consumption (CPU time), which can lead to a potential denial-of-service (DoS) scenario, but only under specific conditions that require a large volume of headers to be processed. Moreover, the issue can be mitigated by setting limits on the number of address headers in the MTA, reducing the likelihood of exploitation.", "threat_severity": "Moderate"}