7.8

CVE-2021-3578

A flaw was found in mbsync before v1.3.6 and v1.4.2, where an unchecked pointer cast allows a malicious or compromised server to write an arbitrary integer value past the end of a heap-allocated structure by issuing an unexpected APPENDUID response. This could be plausibly exploited for remote code execution on the client.

Data is provided by the National Vulnerability Database (NVD)
Isync ProjectIsync Version < 1.3.6
Isync ProjectIsync Version1.4.0
Isync ProjectIsync Version1.4.1
FedoraprojectFedora Version33
FedoraprojectFedora Version34
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 2.87% 0.858
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.2 3.9 10
AV:L/AC:L/Au:N/C:C/I:C/A:C
CWE-704 Incorrect Type Conversion or Cast

The product does not correctly convert an object, resource, or structure from one type to a different type.

http://www.openwall.com/lists/oss-security/2021/06/07/1
Patch
Third Party Advisory
Mailing List
https://bugzilla.redhat.com/show_bug.cgi?id=1967397
Patch
Third Party Advisory
Issue Tracking
https://www.openwall.com/lists/oss-security/2021/06/07/1
Patch
Third Party Advisory
Mailing List