CVE - CVE-2021-3578

CVE-ID
CVE-2021-3578	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
A flaw was found in mbsync before v1.3.6 and v1.4.2, where an unchecked pointer cast allows a malicious or compromised server to write an arbitrary integer value past the end of a heap-allocated structure by issuing an unexpected APPENDUID response. This could be plausibly exploited for remote code execution on the client.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
FEDORA:FEDORA-2021-754af4d52b URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RPIDLIJKNRJHUVBCL7QGAPAAVPIHQGXK/ FEDORA:FEDORA-2021-f236f9f01a URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U75UFEWRAZYKVL5NHMPBUOLWN3WXTOEI/ GENTOO:GLSA-202208-15 URL:https://security.gentoo.org/glsa/202208-15 MISC:https://bugzilla.redhat.com/show_bug.cgi?id=1967397 MISC:https://www.openwall.com/lists/oss-security/2021/06/07/1 MISC:https://bugzilla.redhat.com/show_bug.cgi?id=1961710 URL:https://bugzilla.redhat.com/show_bug.cgi?id=1961710 MISC:https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/ URL:https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/ MLIST:[debian-lts-announce] 20220701 [SECURITY] [DLA 3066-1] isync security update URL:https://lists.debian.org/debian-lts-announce/2022/07/msg00001.html MLIST:[oss-security] 20210607 CVE-2021-3578: possible remote code execution in isync/mbsync URL:http://www.openwall.com/lists/oss-security/2021/06/07/1
Assigning CNA
Red Hat, Inc.
Date Record Created
20210603	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20210603)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)