CVE-2024-23185

Name of the Vulnerable Software and Affected Versions: Dovecot (affected versions not specified)

Description: The issue is related to resource exhaustion when parsing messages with very large headers. The message-parser reads reasonably sized chunks of the message, but when it feeds them to the message-header-parser, it starts building up a "full value" buffer out of the smaller chunks. This buffer has no size limit, so large headers can cause large memory usage. It doesn't matter whether it's a single long header line or a single header split into multiple lines. Attackers probably can't cause a denial-of-service (DoS) attack on a victim user this way, but a user could append larger mails, allowing them to DoS themselves. Implementing restrictions on headers on the MTA component preceding Dovecot can help mitigate the issue. No publicly available exploits are known.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider implementing restrictions on headers on the MTA component preceding Dovecot to minimize the risk of exploitation. Restrict access to large headers to prevent potential memory issues for the backend. Avoid using large headers in mails to prevent self-denial-of-service.