9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.066 Low
EPSS
Percentile
93.7%
Severity: Medium
Date : 2021-12-03
CVE-ID : CVE-2021-3657 CVE-2021-44143
Package : isync
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2579
The package isync before version 1.4.4-1 is vulnerable to arbitrary
code execution.
Upgrade to 1.4.4-1.
The problems have been fixed upstream in version 1.4.4.
None.
A security issue was found in mbsync in isync versions before 1.4.4.
Due to inadequate handling of extremely large (>=2GiB) IMAP literals,
malicious or compromised IMAP servers, and hypothetically even external
email senders, could cause several different buffer overflows, which
could conceivably be exploited for remote code execution.
A security issue was found in mbsync in isync 1.4.0 before version
1.4.4. Due to an unchecked condition, a malicious or compromised IMAP
server could use a crafted mail message that lacks headers (i.e., one
that starts with an empty line) to provoke a heap overflow, which could
conceivably be exploited for remote code execution.
A remote attacker could execute arbitrary code on the mbsync client
through crafted email messages.
https://www.openwall.com/lists/oss-security/2021/12/03/1
https://www.openwall.com/lists/oss-security/2021/12/03/1/1
https://sourceforge.net/p/isync/isync/ci/463272eab866a36162fe51813327ca7af2f37ca0/
https://sourceforge.net/p/isync/isync/ci/ba13362a52d8749731ba645e5e50e47862a5b91d/
https://sourceforge.net/p/isync/isync/ci/bc15e571b650270b87e9758916f93eab04992cef/
https://sourceforge.net/p/isync/isync/ci/127003ee37e3eb6d914782be43097338baa32d2b/
https://www.openwall.com/lists/oss-security/2021/12/03/2
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999804
https://www.openwall.com/lists/oss-security/2021/12/03/2/1
https://sourceforge.net/p/isync/isync/ci/87065c12b477ee7239dd907f352dda5289c0c919/
https://security.archlinux.org/CVE-2021-3657
https://security.archlinux.org/CVE-2021-44143
bugs.debian.org/cgi-bin/bugreport.cgi?bug=999804
security.archlinux.org/AVG-2579
security.archlinux.org/CVE-2021-3657
security.archlinux.org/CVE-2021-44143
sourceforge.net/p/isync/isync/ci/127003ee37e3eb6d914782be43097338baa32d2b/
sourceforge.net/p/isync/isync/ci/463272eab866a36162fe51813327ca7af2f37ca0/
sourceforge.net/p/isync/isync/ci/87065c12b477ee7239dd907f352dda5289c0c919/
sourceforge.net/p/isync/isync/ci/ba13362a52d8749731ba645e5e50e47862a5b91d/
sourceforge.net/p/isync/isync/ci/bc15e571b650270b87e9758916f93eab04992cef/
www.openwall.com/lists/oss-security/2021/12/03/1
www.openwall.com/lists/oss-security/2021/12/03/1/1
www.openwall.com/lists/oss-security/2021/12/03/2
www.openwall.com/lists/oss-security/2021/12/03/2/1
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.066 Low
EPSS
Percentile
93.7%