Vulnerabilites related to foxcpp - maddy
CVE-2021-42583 (GCVE-0-2021-42583)
Vulnerability from cvelistv5
Published
2021-12-28 18:12
Modified
2024-08-04 03:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information.
References
► | URL | Tags |
---|---|---|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T03:38:49.354Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/foxcpp/maddy/blob/df40dce1284cd0fd0a9e8e7894029553d653d0a5/internal/auth/shadow/verify.go" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/foxcpp/maddy/releases/tag/v0.5.2" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-12-28T18:12:42", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/foxcpp/maddy/blob/df40dce1284cd0fd0a9e8e7894029553d653d0a5/internal/auth/shadow/verify.go" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/foxcpp/maddy/releases/tag/v0.5.2" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-42583", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/foxcpp/maddy/blob/df40dce1284cd0fd0a9e8e7894029553d653d0a5/internal/auth/shadow/verify.go", "refsource": "MISC", "url": "https://github.com/foxcpp/maddy/blob/df40dce1284cd0fd0a9e8e7894029553d653d0a5/internal/auth/shadow/verify.go" }, { "name": "https://github.com/foxcpp/maddy/releases/tag/v0.5.2", "refsource": "MISC", "url": "https://github.com/foxcpp/maddy/releases/tag/v0.5.2" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-42583", "datePublished": "2021-12-28T18:12:42", "dateReserved": "2021-10-18T00:00:00", "dateUpdated": "2024-08-04T03:38:49.354Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2023-27582 (GCVE-0-2023-27582)
Vulnerability from cvelistv5
Published
2023-03-13 21:40
Modified
2025-02-25 14:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
maddy is a composable, all-in-one mail server. Starting with version 0.2.0 and prior to version 0.6.3, maddy allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it is accepted as is after checking the credentials for the authentication username. maddy 0.6.3 includes the fix for the bug. There are no known workarounds.
References
► | URL | Tags | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T12:16:36.244Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/foxcpp/maddy/security/advisories/GHSA-4g76-w3xw-2x6w", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/foxcpp/maddy/security/advisories/GHSA-4g76-w3xw-2x6w" }, { "name": "https://github.com/foxcpp/maddy/commit/55a91a37b71210f34f98f4d327c30308fe24399a", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/foxcpp/maddy/commit/55a91a37b71210f34f98f4d327c30308fe24399a" }, { "name": "https://github.com/foxcpp/maddy/commit/9f58cb64b39cdc01928ec463bdb198c4c2313a9c", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/foxcpp/maddy/commit/9f58cb64b39cdc01928ec463bdb198c4c2313a9c" }, { "name": "https://github.com/foxcpp/maddy/releases/tag/v0.6.3", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/foxcpp/maddy/releases/tag/v0.6.3" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-27582", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-02-25T14:31:06.246958Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-02-25T14:58:06.143Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "maddy", "vendor": "foxcpp", "versions": [ { "status": "affected", "version": "\u003e= 0.2.0 0.6.3" } ] } ], "descriptions": [ { "lang": "en", "value": "maddy is a composable, all-in-one mail server. Starting with version 0.2.0 and prior to version 0.6.3, maddy allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it is accepted as is after checking the credentials for the authentication username. maddy 0.6.3 includes the fix for the bug. There are no known workarounds." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-287", "description": "CWE-287: Improper Authentication", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-305", "description": "CWE-305: Authentication Bypass by Primary Weakness", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-03-13T21:40:23.225Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/foxcpp/maddy/security/advisories/GHSA-4g76-w3xw-2x6w", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/foxcpp/maddy/security/advisories/GHSA-4g76-w3xw-2x6w" }, { "name": "https://github.com/foxcpp/maddy/commit/55a91a37b71210f34f98f4d327c30308fe24399a", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/foxcpp/maddy/commit/55a91a37b71210f34f98f4d327c30308fe24399a" }, { "name": "https://github.com/foxcpp/maddy/commit/9f58cb64b39cdc01928ec463bdb198c4c2313a9c", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/foxcpp/maddy/commit/9f58cb64b39cdc01928ec463bdb198c4c2313a9c" }, { "name": "https://github.com/foxcpp/maddy/releases/tag/v0.6.3", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/foxcpp/maddy/releases/tag/v0.6.3" } ], "source": { "advisory": "GHSA-4g76-w3xw-2x6w", "discovery": "UNKNOWN" }, "title": "Full authentication bypass if SASL authorization username is specified" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-27582", "datePublished": "2023-03-13T21:40:23.225Z", "dateReserved": "2023-03-04T01:03:53.633Z", "dateUpdated": "2025-02-25T14:58:06.143Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2022-24732 (GCVE-0-2022-24732)
Vulnerability from cvelistv5
Published
2022-03-09 19:40
Modified
2025-04-23 18:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Maddy Mail Server is an open source SMTP compatible email server. Versions of maddy prior to 0.5.4 do not implement password expiry or account expiry checking when authenticating using PAM. Users are advised to upgrade. Users unable to upgrade should manually remove expired accounts via existing filtering mechanisms.
References
► | URL | Tags | ||||||
---|---|---|---|---|---|---|---|---|
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T04:20:49.847Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/foxcpp/maddy/security/advisories/GHSA-6cp7-g972-w9m9" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/foxcpp/maddy/commit/7ee6a39c6a1939b376545f030a5efd6f90913583" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2022-24732", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-04-23T14:09:25.376848Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-04-23T18:56:33.643Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "maddy", "vendor": "foxcpp", "versions": [ { "status": "affected", "version": "\u003c 0.5.4" } ] } ], "descriptions": [ { "lang": "en", "value": "Maddy Mail Server is an open source SMTP compatible email server. Versions of maddy prior to 0.5.4 do not implement password expiry or account expiry checking when authenticating using PAM. Users are advised to upgrade. Users unable to upgrade should manually remove expired accounts via existing filtering mechanisms." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-613", "description": "CWE-613: Insufficient Session Expiration", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-324", "description": "CWE-324: Use of a Key Past its Expiration Date", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-03-09T19:40:08.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/foxcpp/maddy/security/advisories/GHSA-6cp7-g972-w9m9" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/foxcpp/maddy/commit/7ee6a39c6a1939b376545f030a5efd6f90913583" } ], "source": { "advisory": "GHSA-6cp7-g972-w9m9", "discovery": "UNKNOWN" }, "title": "Maddy Mail Server does not implement account expiry", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24732", "STATE": "PUBLIC", "TITLE": "Maddy Mail Server does not implement account expiry" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "maddy", "version": { "version_data": [ { "version_value": "\u003c 0.5.4" } ] } } ] }, "vendor_name": "foxcpp" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Maddy Mail Server is an open source SMTP compatible email server. Versions of maddy prior to 0.5.4 do not implement password expiry or account expiry checking when authenticating using PAM. Users are advised to upgrade. Users unable to upgrade should manually remove expired accounts via existing filtering mechanisms." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-613: Insufficient Session Expiration" } ] }, { "description": [ { "lang": "eng", "value": "CWE-324: Use of a Key Past its Expiration Date" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/foxcpp/maddy/security/advisories/GHSA-6cp7-g972-w9m9", "refsource": "CONFIRM", "url": "https://github.com/foxcpp/maddy/security/advisories/GHSA-6cp7-g972-w9m9" }, { "name": "https://github.com/foxcpp/maddy/commit/7ee6a39c6a1939b376545f030a5efd6f90913583", "refsource": "MISC", "url": "https://github.com/foxcpp/maddy/commit/7ee6a39c6a1939b376545f030a5efd6f90913583" } ] }, "source": { "advisory": "GHSA-6cp7-g972-w9m9", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24732", "datePublished": "2022-03-09T19:40:08.000Z", "dateReserved": "2022-02-10T00:00:00.000Z", "dateUpdated": "2025-04-23T18:56:33.643Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Vulnerability from fkie_nvd
Published
2021-12-28 19:15
Modified
2024-11-21 06:27
Severity ?
Summary
A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information.
References
▶ | URL | Tags | |
---|---|---|---|
cve@mitre.org | https://github.com/foxcpp/maddy/blob/df40dce1284cd0fd0a9e8e7894029553d653d0a5/internal/auth/shadow/verify.go | Third Party Advisory | |
cve@mitre.org | https://github.com/foxcpp/maddy/releases/tag/v0.5.2 | Release Notes, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/foxcpp/maddy/blob/df40dce1284cd0fd0a9e8e7894029553d653d0a5/internal/auth/shadow/verify.go | Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/foxcpp/maddy/releases/tag/v0.5.2 | Release Notes, Third Party Advisory |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:foxcpp:maddy:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D772E32-2B6C-4681-967D-D42B7E41AF59", "versionEndExcluding": "0.5.2", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information." }, { "lang": "es", "value": "Se presenta un Algoritmo Criptogr\u00e1fico Roto o Arriesgado en Max Mazurov Maddy versiones anteriores a 0.5.2, lo que supone un riesgo innecesario que puede resultar en una exposici\u00f3n de informaci\u00f3n confidencial" } ], "id": "CVE-2021-42583", "lastModified": "2024-11-21T06:27:51.177", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0" }, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2021-12-28T19:15:07.970", "references": [ { "source": "cve@mitre.org", "tags": [ "Third Party Advisory" ], "url": "https://github.com/foxcpp/maddy/blob/df40dce1284cd0fd0a9e8e7894029553d653d0a5/internal/auth/shadow/verify.go" }, { "source": "cve@mitre.org", "tags": [ "Release Notes", "Third Party Advisory" ], "url": "https://github.com/foxcpp/maddy/releases/tag/v0.5.2" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://github.com/foxcpp/maddy/blob/df40dce1284cd0fd0a9e8e7894029553d653d0a5/internal/auth/shadow/verify.go" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Release Notes", "Third Party Advisory" ], "url": "https://github.com/foxcpp/maddy/releases/tag/v0.5.2" } ], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-327" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }