CVE-2024-23184

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:L/Au:S/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Dovecot IMAP Server versions 2.2 through 2.3.20

Description The issue is related to the excessive CPU usage caused by a large number of address headers in emails, which can be exploited by external actors to consume system resources and cause an outage. With 100k header lines, CPU usage can reach 12 seconds, and in production environments, 500k header lines have been observed to take 18 minutes to parse. This can be triggered by sending specially crafted messages to a victim. Implementing restrictions on address headers on the MTA component preceding Dovecot can help mitigate the issue.

Recommendations For Dovecot IMAP Server versions 2.2 through 2.3.20, upgrade Dovecot immediately to a version that is not affected by this issue. As a temporary workaround, consider implementing restrictions on address headers on the MTA component preceding Dovecot to minimize the risk of exploitation.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

ALSA-2024:6529

ALSA-2024:6973

ALT-PU-2024-11234

ALT-PU-2024-11395

ALT-PU-2024-11470

ALT-PU-2024-14992

AZL-48981

AZL-49024

BDU:2024-06559

CESA-2024_6973

CVE-2024-23184

DLA-3860-1

DSA-5752-1

INFSA-2024_6529

INFSA-2024_6973

MGASA-2024-0280

OESA-2024-2009

OPENSUSE-SU-2024:14274-1

OPENSUSE-SU-2024_3118-1

OPENSUSE-SU-2025:14715-1

RHSA-2024:6465

RHSA-2024:6529

RHSA-2024:6973

RHSA-2024_6529

RHSA-2024_6973

RLSA-2024:6529

RLSA-2024:6973

SUSE-SU-2024:3118-1

SUSE-SU-2024_3118-1

USN-6982-1

USN-7013-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Dovecot Imap Server

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

CVE-2024-23184

Weakness Enumeration

Related Identifiers

Affected Products

References · 99