5 results (0.012 seconds)

CVSS: 7.5EPSS: 1%CPEs: 4EXPL: 1

OpenDMARC 1.4.1 and 1.4.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a multi-value From header field. OpenDMARC versiones 1.4.1 y 1.4.1.1 permite a atacantes remotos causar una denegación de servicio (desviación del puntero NULL y bloqueo de la aplicación) por medio de un campo de encabezado From de varios valores • https://github.com/trusteddomainproject/OpenDMARC/issues/179 https://github.com/trusteddomainproject/OpenDMARC/pull/178 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MAT4ZSWPQ5SUTMYCXRXI5SMTWL4AG7E https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZHZD4WZDYRBB2XVW2EQ4DQ2KYMAGPUO • CWE-476: NULL Pointer Dereference •

CVSS: 9.8EPSS: 1%CPEs: 6EXPL: 1

OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null termination in the function opendmarc_xml_parse that can result in a one-byte heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate report. This can cause remote memory corruption when a '\0' byte overwrites the heap metadata of the next chunk and its PREV_INUSE flag. OpenDMARC versiones hasta 1.3.2 y versiones desde 1.4.x hasta 1.4.0-Beta1, presenta una terminación nula inapropiada en la función opendmarc_xml_parse que puede resultar en un desbordamiento de la pila por un byte en opendmarc_xml al analizar un reporte agregado DMARC especialmente diseñado. Esto puede causar daños en la memoria remota cuando un byte "\0" sobrescribe los metadatos de la pila del siguiente fragmento y su flag PREV_INUSE • https://github.com/trusteddomainproject/OpenDMARC/issues/64 https://lists.debian.org/debian-lts-announce/2021/04/msg00026.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2D4JGHMALEJEWWG56DKR5OZB22TK7W5B https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JHDKMCZGE3W4XBP76NLI2Q7IOZHXLD4A https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBOGOQOK3TIWWJV66MW5YWNRJAFFYGR5 https://security.gentoo.org/glsa/202011-02 • CWE-787: Out-of-bounds Write •

CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 2

OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field. OpenDMARC versiones hasta 1.3.2 y versiones 1.4.x, cuando es usado con pypolicyd-spf versión 2.0.2, permite ataques que omiten la autenticación SPF y DMARC en situaciones en las que el campo HELO es inconsistente con el campo MAIL FROM. • https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2D4JGHMALEJEWWG56DKR5OZB22TK7W5B https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBOGOQOK3TIWWJV66MW5YWNRJAFFYGR5 https://sourceforge.net/p/opendmarc/tickets/235 https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf • CWE-290: Authentication Bypass by Spoofing •

CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 1

OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication results to provide false information about the domain that originated an e-mail message. This is caused by incorrect parsing and interpretation of SPF/DKIM authentication results, as demonstrated by the example.net(.example.com substring. OpenDMARC versiones hasta 1.3.2 y versiones 1.4.x, permite ataques que inyectan resultados de autenticación para proporcionar información falsa acerca del dominio que originó un mensaje de correo electrónico. Esto es causado por el análisis e interpretación incorrecta de los resultados de la autenticación SPF/DKIM, como es demostrado por la subcadena example.net(.example.com • https://lists.debian.org/debian-lts-announce/2023/08/msg00035.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2D4JGHMALEJEWWG56DKR5OZB22TK7W5B https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBOGOQOK3TIWWJV66MW5YWNRJAFFYGR5 https://sourceforge.net/p/opendmarc/tickets/237 https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf • CWE-290: Authentication Bypass by Spoofing •

CVSS: 9.8EPSS: 0%CPEs: 9EXPL: 0

OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 is prone to a signature-bypass vulnerability with multiple From: addresses, which might affect applications that consider a domain name to be relevant to the origin of an e-mail message. OpenDMARC versiones hasta 1.3.2 y versiones 1.4.x hasta 1.4.0-Beta1, es propenso a una vulnerabilidad de omisión de firma con múltiples direcciones From: que podrían afectar aplicaciones que consideran que un nombre de dominio es relevante para el origen de un mensaje de correo electrónico . • http://www.openwall.com/lists/oss-security/2019/09/17/2 https://bugs.debian.org/940081 https://github.com/trusteddomainproject/OpenDMARC/pull/48 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HEWDFGRKQHIWKFZH5BNWQDGUPNR7VH3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUBIHJLMPMB6KHOSGDMUQKSAW4HOCYM https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y7RT6ID7MBCEPNZEIUKK2TZIOCYPJR6E https://seclists& • CWE-290: Authentication Bypass by Spoofing •