Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Informations
Name CVE-2021-33912 First vendor Publication 2022-01-19
Vendor Cve Last vendor Modification 2024-11-21

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 9.8
Base Score 9.8 Environmental Score 9.8
impact SubScore 5.9 Temporal Score 9.8
Exploitabality Sub Score 3.9
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

libspf2 before 1.2.11 has a four-byte heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of incorrect sprintf usage in SPF_record_expand_data in spf_expand.c. The vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g., with additional configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2 with Postfix; older versions of spfquery relied on libspf2) but most often is not.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33912

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-787 Out-of-bounds Write (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Os 1

Sources (Detail)

https://github.com/shevek/libspf2/tree/8131fe140704eaae695e76b5cd09e39bd1dd220b
https://lists.debian.org/debian-lts-announce/2022/01/msg00015.html
https://nathanielbennett.com/blog/libspf2-cve-jan-2022-disclosure
https://security.gentoo.org/glsa/202401-22
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2024-11-28 13:57:33
  • Multiple Updates
2024-01-15 21:27:46
  • Multiple Updates
2022-01-26 21:22:54
  • Multiple Updates
2022-01-21 09:22:53
  • Multiple Updates
2022-01-19 21:22:58
  • First insertion