CVE-2024-23184
Publication date 24 August 2024
Last updated 30 May 2025
Ubuntu priority
Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| dovecot | 24.04 LTS noble |
Fixed 1:2.3.21+dfsg1-2ubuntu6
|
| 22.04 LTS jammy |
Fixed 1:2.3.16+dfsg1-3ubuntu2.4
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Notes
mdeslaur
introduced in 2.3.10 by: https://github.com/dovecot/core/commit/469fcd3bdd7df40bb8f4d131121f3bfbceade02a
Patch details
| Package | Patch details |
|---|---|
| dovecot |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.0 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Changed |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-6982-1
- Dovecot vulnerabilities
- 2 September 2024
- USN-7013-1
- Dovecot vulnerabilities
- 16 September 2024