FreeBSDD1DFC4C7-8791-11E3-A371-6805CA0B3D42rt42 -- denial-of-service attack via the email gateway
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.007 Low
EPSS
Percentile
79.7%
The RT development team reports:
Versions of RT between 4.2.0 and 4.2.2 (inclusive) are
vulnerable to a denial-of-service attack via the email
gateway; any installation which accepts mail from untrusted
sources is vulnerable, regardless of the permissions
configuration inside RT. This vulnerability is assigned
CVE-2014-1474.
This vulnerability is caused by poor parsing performance
in the Email::Address::List module, which RT depends on. We
recommend that affected users upgrade their version of
Email::Address::List to v0.02 or above, which resolves the
issue. Due to a communications mishap, the release on CPAN
will temporarily appear as “unauthorized,” and the
command-line cpan client will hence not install it. We
expect this to be resolved shortly; in the meantime, the
release is also available from our server.
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.007 Low
EPSS
Percentile
79.7%