All the vulnerabilites related to rjbs - Email-MIME
cve-2024-4140
Vulnerability from cvelistv5
Published
2024-05-02 19:59
Modified
2025-02-13 17:53
Severity ?
EPSS score ?
Summary
An excessive memory use issue (CWE-770) exists in Email-MIME, before version 1.954, which can cause denial of service when parsing multipart MIME messages. The patch set (from 2020 and 2024) limits excessive depth and the total number of parts.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| rjbs | Email-MIME |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:rjbs:email_mime:1.954:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "email_mime",
"vendor": "rjbs",
"versions": [
{
"lessThan": "1.954",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4140",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T15:51:07.201412Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-18T18:10:53.933Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/rjbs/Email-MIME/issues/66"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/rjbs/Email-MIME/pull/80"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://bugs.debian.org/960062"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-4140"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/rjbs/Email-MIME/commit/3a12edd119e493156a5a05e45dd50f4e36b702e8"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/rjbs/Email-MIME/commit/7e96ecfa1da44914a407f82ae98ba817bba08f2d"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/rjbs/Email-MIME/commit/02bf3e26812c8f38a86a33c168571f9783365df2"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/rjbs/Email-MIME/commit/fc0fededd24a71ccc51bcd8b1e486385d09aae63"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/rjbs/Email-MIME/commit/b2cb62f19e12580dd235f79e2546d44a6bec54d1"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/rjbs/Email-MIME/commit/3dcf096eeccb8e4dd42738de676c8f4a5aa7a531"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFD5BWGYAVLW6IO4SUNLTJCFFLHZYQGT/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YHXHDLPZ6JV4KK3Q43O6TE3WOBAIUQRC/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"packageName": "libemail-mime-perl",
"platforms": [
"Linux"
],
"product": "Email-MIME",
"repo": "https://github.com/rjbs/Email-MIME",
"vendor": "rjbs",
"versions": [
{
"lessThan": "1.954",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Ricardo Signes"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Marc Bradshaw"
},
{
"lang": "en",
"type": "analyst",
"value": "Miha Purg"
}
],
"descriptions": [
{
"lang": "en",
"value": "An excessive memory use issue (CWE-770) exists in Email-MIME, before version 1.954, which can cause denial of service when parsing multipart MIME messages. The patch set (from 2020 and 2024) limits excessive depth and the total number of parts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T17:09:42.432Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/rjbs/Email-MIME/issues/66"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/rjbs/Email-MIME/pull/80"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugs.debian.org/960062"
},
{
"tags": [
"issue-tracking"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-4140"
},
{
"tags": [
"patch"
],
"url": "https://github.com/rjbs/Email-MIME/commit/3a12edd119e493156a5a05e45dd50f4e36b702e8"
},
{
"tags": [
"patch"
],
"url": "https://github.com/rjbs/Email-MIME/commit/7e96ecfa1da44914a407f82ae98ba817bba08f2d"
},
{
"tags": [
"patch"
],
"url": "https://github.com/rjbs/Email-MIME/commit/02bf3e26812c8f38a86a33c168571f9783365df2"
},
{
"tags": [
"patch"
],
"url": "https://github.com/rjbs/Email-MIME/commit/fc0fededd24a71ccc51bcd8b1e486385d09aae63"
},
{
"tags": [
"patch"
],
"url": "https://github.com/rjbs/Email-MIME/commit/b2cb62f19e12580dd235f79e2546d44a6bec54d1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/rjbs/Email-MIME/commit/3dcf096eeccb8e4dd42738de676c8f4a5aa7a531"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFD5BWGYAVLW6IO4SUNLTJCFFLHZYQGT/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YHXHDLPZ6JV4KK3Q43O6TE3WOBAIUQRC/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2024-4140",
"datePublished": "2024-05-02T19:59:20.917Z",
"dateReserved": "2024-04-24T17:32:29.243Z",
"dateUpdated": "2025-02-13T17:53:29.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}