CVSS: 7.5EPSS: 4%CPEs: 10EXPL: 1CVE-2020-12100 – dovecot: Resource exhaustion via deeply nested MIME parts
https://notcve.org/view.php?id=CVE-2020-12100
In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts. En Dovecot versiones anteriores a 2.3.11.3, la recursividad no controlada en submission, lmtp, y lda permite a atacantes remotos causar una denegación de servicio (consumo de recursos) por medio de un mensaje de correo electrónico diseñado con partes MIME profundamente anidadas A flaw was found in dovecot. A remote attacker could cause a denial of service by repeatedly sending emails containing MIME parts containing malicious content of which dovecot will attempt to parse. The highest threat from this vulnerability is to system availability. • http://seclists.org/fulldisclosure/2021/Jan/18 http://www.openwall.com/lists/oss-security/2020/08/12/1 http://www.openwall.com/lists/oss-security/2021/01/04/3 https://dovecot.org/security https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2 http • CWE-674: Uncontrolled Recursion •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 1CVE-2020-12674 – dovecot: Crash due to assert in RPA implementation
https://notcve.org/view.php?id=CVE-2020-12674
In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled. En Dovecot versiones anteriores a 2.3.11.3, el envío de una petición RPA con un formato especial bloqueará el servicio auth porque una longitud de cero es manejada inapropiadamente A flaw was found in dovecot. An attacker can use the way dovecot handles RPA (Remote Passphrase Authentication) to crash the authentication process repeatedly preventing login. The highest threat from this vulnerability is to system availability. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html https://dovecot.org/security https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2 https://lists.fedoraproject.org/ar • CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 1CVE-2020-12673 – dovecot: Out of bound reads in dovecot NTLM implementation
https://notcve.org/view.php?id=CVE-2020-12673
In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read. En Dovecot versiones anteriores a 2.3.11.3, el envío de una petición NTLM con formato especial bloqueará el servicio auth debido a una lectura fuera de límites A flaw was found in dovecot. An out-of-bounds read flaw was found in the way dovecot handled NTLM authentication allowing an attacker to crash the dovecot auth process repeatedly preventing login. The highest threat from this vulnerability is to system availability. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html https://dovecot.org/security https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2 https://lists.fedoraproject.org/ar • CWE-125: Out-of-bounds Read •
CVSS: 3.8EPSS: 0%CPEs: 7EXPL: 0CVE-2020-16092 – QEMU: reachable assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c
https://notcve.org/view.php?id=CVE-2020-16092
In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c. En QEMU versiones hasta 5.0.0, puede ocurrir un fallo de aserción en el procesamiento de paquetes de red. Este problema afecta a los dispositivos de red e1000e y vmxnet3. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00024.html http://www.openwall.com/lists/oss-security/2020/08/10/1 https://lists.debian.org/debian-lts-announce/2020/09/msg00013.html https://lists.nongnu.org/archive/html/qemu-devel/2020-07/msg07563.html https://security.gentoo.org/glsa/202208-27 https://security.netapp.com/advisory/ntap-20200821-0006 https://usn.ubuntu.com/4467-1 https://www.debian.org/security/2020/dsa-4760 https://access.redhat.com/s • CWE-617: Reachable Assertion •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-15658 – Mozilla: Overriding file type when saving to disk
https://notcve.org/view.php?id=CVE-2020-15658
The code for downloading files did not properly take care of special characters, which led to an attacker being able to cut off the file ending at an earlier position, leading to a different file type being downloaded than shown in the dialog. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1. El código para descargar archivos no toma cuidado apropiadamente de los caracteres especiales, lo que conllevaba a que un atacante sea capaz de cortar el archivo que terminaba en una posición anterior, conllevando a que sea descargado un tipo de archivo diferente al mostrado en el cuadro de diálogo. Esta vulnerabilidad afecta a Firefox ESR versiones anteriores a 78.1, Firefox versiones anteriores a 79 y Thunderbird versiones anteriores a 78.1 • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00025.html https://bugzilla.mozilla.org/show_bug.cgi?id=1637745 https://usn.ubuntu.com/4443-1 https://www.mozilla.org/security/advisories/mfsa2020-30 https://www.mozilla.org/security/advisories/mfsa2020-32 https://www.mozilla.org/security/advisories/mfsa2020-33 https://access.redhat.com/security/cve/CVE-2020-15658 https://bugzilla.redhat.com/show_bug.cgi?id=1861647 • CWE-138: Improper Neutralization of Special Elements CWE-754: Improper Check for Unusual or Exceptional Conditions •