CVE-2021-3657 — Vulnetix

CVE-2021-3657 PUBLISHED CVSS 9.800000190734863 CRITICAL

A flaw was found in mbsync versions prior to 1.4.4. Due to inadequate handling of extremely large (>=2GiB) IMAP literals, malicious or compromised IMAP servers, and hypothetically even external email senders, could cause several different buffer overflows, which could conceivably be exploited for remote code execution.

EPSS 6.12% · 90.9th percentile

Risk Scores

CVSS v3.1

9.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

6.12%

90.9th percentile

Affected Products

Vendor	Product	Versions
redhat	enterprise_linux	7.0
debian	debian_linux	9.0
fedoraproject	fedora	35
n/a	isync	isync 1.4.4
isync_project	isync	0

Timeline

Feb 18, 2022 CVE Published
Feb 19, 2022 EPSS Score
Mar 4, 2022 EPSS Score
Jun 3, 2022 EPSS Score
Jul 2, 2022 EPSS Score
Jul 26, 2022 EPSS Score
Nov 7, 2022 EPSS Score
Dec 29, 2022 EPSS Score
Feb 19, 2023 EPSS Score
Apr 12, 2023 EPSS Score
Jun 3, 2023 EPSS Score
Jul 25, 2023 EPSS Score

References

https://bugzilla.redhat.com/show_bug.cgi?id=2028932 url
https://www.openwall.com/lists/oss-security/2021/12/03/1 url
[debian-lts-announce] 20220701 [SECURITY] [DLA 3066-1] isync security update mailing-list
GLSA-202208-15 vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2021-3657 advisory

Open in Interactive Console →