report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user.

🗓️ 19 Jan 2022 08:00:00Reported by MicrosoftType

mscve

mscve🔗 msrc.microsoft.com👁 1 Views

Fetchmail pre-6.4.20 omits variable argument list init in report_vbuild, risking denial of service.

Reporter	Title	Published	Views	Family All 86
ATTACKERKB	CVE-2021-36386	30 Jul 202114:15	–	attackerkb
Tenable Nessus	Alibaba Cloud Linux 3 : 0198: fetchmail (ALINUX3-SA-2022:0198)	14 May 202500:00	–	nessus
Tenable Nessus	AlmaLinux 8 : fetchmail (ALSA-2022:1964)	12 May 202200:00	–	nessus
Tenable Nessus	CentOS 8 : fetchmail (CESA-2022:1964)	10 May 202200:00	–	nessus
Tenable Nessus	CentOS 9 : fetchmail-6.4.24-1.el9	29 Feb 202400:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP8 : fetchmail (EulerOS-SA-2021-2629)	2 Nov 202100:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP5 : fetchmail (EulerOS-SA-2021-2658)	11 Nov 202100:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP3 : fetchmail (EulerOS-SA-2022-1162)	23 Feb 202200:00	–	nessus
Tenable Nessus	FreeBSD : fetchmail -- 6.4.19 and older denial of service or information disclosure (cbfd1874-efea-11eb-8fe9-036bd763ff35)	30 Jul 202100:00	–	nessus
Tenable Nessus	GLSA-202209-14 : Fetchmail: Multiple Vulnerabilities	25 Sep 202200:00	–	nessus

Vulners

Node

microsoft cbl2_fetchmail_6.4.22-1Range<6.4.22-1

19 Jan 2022 08:00Current

7High risk

Vulners AI Score7

CVSS 25

CVSS 3.17.5

EPSS0.0026

fetchmail denial of service long error messages variable argument list report vbuild