CVE-2021-33582
cyrus-imapd: Denial of service via string hashing algorithm collisions
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3.0.16.
Cyrus IMAP versiones anteriores a 3.4.2, permite a atacantes remotos causar una denegación de servicio (cuelgue del demonio de varios minutos) por medio de una entrada manejada inapropiadamente durante la interacción de la tabla hash. Debido a que presenta muchas inserciones en un solo cubo, strcmp se vuelve lento. Esto se ha corregido en las versiones 3.4.2, 3.2.8 y 3.0.16
A flaw was found in cyrus-imapd. A bad string hashing algorithm used in internal hash tables allows user inputs to be stored in predictable buckets. A user may cause a CPU denial of service by maliciously directing many inputs to a single bucket. The highest threat from this vulnerability is to system availability.
It was discovered that non-authentication-related HTTP requests could be interpreted in an authentication context by a Cyrus IMAP Server when multiple requests arrived over the same connection. An unauthenticated attacker could possibly use this issue to perform a privilege escalation attack. This issue only affected Ubuntu 18.04 LTS. Matthew Horsfall discovered that Cyrus IMAP Server utilized a poor string hashing algorithm that could be abused to control where data was being stored. An attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-26 CVE Reserved
- 2021-09-01 CVE Published
- 2024-08-03 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-407: Inefficient Algorithmic Complexity
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://github.com/cyrusimap/cyrus-imapd/security/advisories | Not Applicable | |
| https://lists.debian.org/debian-lts-announce/2022/06/msg00013.html | Mailing List |
|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Cyrus Search vendor "Cyrus" | Imap Search vendor "Cyrus" for product "Imap" | < 3.0.16 Search vendor "Cyrus" for product "Imap" and version " < 3.0.16" | - |
Affected
| ||||||
| Cyrus Search vendor "Cyrus" | Imap Search vendor "Cyrus" for product "Imap" | >= 3.2.0 < 3.2.8 Search vendor "Cyrus" for product "Imap" and version " >= 3.2.0 < 3.2.8" | - |
Affected
| ||||||
| Cyrus Search vendor "Cyrus" | Imap Search vendor "Cyrus" for product "Imap" | >= 3.4.0 < 3.4.2 Search vendor "Cyrus" for product "Imap" and version " >= 3.4.0 < 3.4.2" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||