CVE-2011-1720

The SMTP server in Postfix before 2.5.13, 2.6.x before 2.6.10, 2.7.x before 2.7.4, and 2.8.x before 2.8.3, when certain Cyrus SASL authentication methods are enabled, does not create a new server handle after client authentication fails, which allows remote attackers to cause a denial of service (heap memory corruption and daemon crash) or possibly execute arbitrary code via an invalid AUTH command with one method followed by an AUTH command with a different method.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
VendorProductVersion
postfixpostfix
2.0.0
postfixpostfix
2.0.1
postfixpostfix
2.0.2
postfixpostfix
2.0.3
postfixpostfix
2.0.4
postfixpostfix
2.0.5
postfixpostfix
2.0.6
postfixpostfix
2.0.7
postfixpostfix
2.0.8
postfixpostfix
2.0.9
postfixpostfix
2.0.10
postfixpostfix
2.0.11
postfixpostfix
2.0.12
postfixpostfix
2.0.13
postfixpostfix
2.0.14
postfixpostfix
2.0.15
postfixpostfix
2.0.16
postfixpostfix
2.0.17
postfixpostfix
2.0.18
postfixpostfix
2.0.19
postfixpostfix
2.1.0
postfixpostfix
2.1.1
postfixpostfix
2.1.2
postfixpostfix
2.1.3
postfixpostfix
2.1.4
postfixpostfix
2.1.5
postfixpostfix
2.1.6
postfixpostfix
2.2.0
postfixpostfix
2.2.1
postfixpostfix
2.2.2
postfixpostfix
2.2.3
postfixpostfix
2.2.4
postfixpostfix
2.2.5
postfixpostfix
2.2.6
postfixpostfix
2.2.7
postfixpostfix
2.2.8
postfixpostfix
2.2.9
postfixpostfix
2.2.10
postfixpostfix
2.2.11
postfixpostfix
2.2.12
postfixpostfix
2.3
postfixpostfix
2.3.0
postfixpostfix
2.3.1
postfixpostfix
2.3.2
postfixpostfix
2.3.3
postfixpostfix
2.3.4
postfixpostfix
2.3.5
postfixpostfix
2.3.6
postfixpostfix
2.3.7
postfixpostfix
2.3.8
postfixpostfix
2.3.9
postfixpostfix
2.3.10
postfixpostfix
2.3.11
postfixpostfix
2.3.12
postfixpostfix
2.3.13
postfixpostfix
2.3.14
postfixpostfix
2.3.15
postfixpostfix
2.3.16
postfixpostfix
2.3.17
postfixpostfix
2.3.18
postfixpostfix
2.3.19
postfixpostfix
2.4
postfixpostfix
2.4.0
postfixpostfix
2.4.1
postfixpostfix
2.4.2
postfixpostfix
2.4.3
postfixpostfix
2.4.4
postfixpostfix
2.4.5
postfixpostfix
2.4.6
postfixpostfix
2.4.7
postfixpostfix
2.4.8
postfixpostfix
2.4.9
postfixpostfix
2.4.10
postfixpostfix
2.4.11
postfixpostfix
2.4.12
postfixpostfix
2.4.13
postfixpostfix
2.4.14
postfixpostfix
2.4.15
postfixpostfix
2.5.0
postfixpostfix
2.5.1
postfixpostfix
2.5.2
postfixpostfix
2.5.3
postfixpostfix
2.5.4
postfixpostfix
2.5.5
postfixpostfix
2.5.6
postfixpostfix
2.5.7
postfixpostfix
2.5.8
postfixpostfix
2.5.9
postfixpostfix
2.5.10
postfixpostfix
2.5.11
postfixpostfix
2.5.12
postfixpostfix
2.6
postfixpostfix
2.6.0
postfixpostfix
2.6.1
postfixpostfix
2.6.2
postfixpostfix
2.6.3
postfixpostfix
2.6.4
postfixpostfix
2.6.5
postfixpostfix
2.6.6
postfixpostfix
2.6.7
postfixpostfix
2.6.8
postfixpostfix
2.6.9
postfixpostfix
2.7.0
postfixpostfix
2.7.1
postfixpostfix
2.7.2
postfixpostfix
2.7.3
postfixpostfix
2.8.0
postfixpostfix
2.8.1
postfixpostfix
2.8.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
postfix
bullseye
3.5.25-0+deb11u1
fixed
bookworm
3.7.11-0+deb12u1
fixed
sid
3.9.0-3
fixed
trixie
3.9.0-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
postfix
natty
Fixed 2.8.2-1ubuntu2.1
released
maverick
Fixed 2.7.1-1ubuntu0.2
released
lucid
Fixed 2.7.0-1ubuntu0.2
released
hardy
Fixed 2.5.1-2ubuntu1.4
released
dapper
Fixed 2.2.10-1ubuntu0.4
released
Common Weakness Enumeration
References
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00002.html
http://secunia.com/advisories/44500
http://security.gentoo.org/glsa/glsa-201206-33.xml
http://securityreason.com/securityalert/8247
http://www.debian.org/security/2011/dsa-2233
http://www.kb.cert.org/vuls/id/727230
http://www.mail-archive.com/postfix-announce%40postfix.org/msg00007.html
http://www.mandriva.com/security/advisories?name=MDVSA-2011:090
http://www.osvdb.org/72259
http://www.postfix.org/CVE-2011-1720.html
http://www.postfix.org/announcements/postfix-2.8.3.html
http://www.securityfocus.com/archive/1/517917/100/0/threaded
http://www.securityfocus.com/bid/47778
http://www.securitytracker.com/id?1025521
http://www.ubuntu.com/usn/usn-1131-1
https://bugzilla.redhat.com/show_bug.cgi?id=699035
https://exchange.xforce.ibmcloud.com/vulnerabilities/67359
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00002.html
http://secunia.com/advisories/44500
http://security.gentoo.org/glsa/glsa-201206-33.xml
http://securityreason.com/securityalert/8247
http://www.debian.org/security/2011/dsa-2233
http://www.kb.cert.org/vuls/id/727230
http://www.mail-archive.com/postfix-announce%40postfix.org/msg00007.html
http://www.mandriva.com/security/advisories?name=MDVSA-2011:090
http://www.osvdb.org/72259
http://www.postfix.org/CVE-2011-1720.html
http://www.postfix.org/announcements/postfix-2.8.3.html
http://www.securityfocus.com/archive/1/517917/100/0/threaded
http://www.securityfocus.com/bid/47778
http://www.securitytracker.com/id?1025521
http://www.ubuntu.com/usn/usn-1131-1
https://bugzilla.redhat.com/show_bug.cgi?id=699035
https://exchange.xforce.ibmcloud.com/vulnerabilities/67359