GHSA-m6m5-pp4g-fcc8 – github.com/foxcpp/maddy

Package

Manager: go
Name: github.com/foxcpp/maddy
Vulnerable Version: >=0 <0.5.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

S3 storage write is not aborted on errors leading to unbounded memory usage ### Impact Anyone using storage.blob.s3 introduced in 0.5.0 with storage.imapsql. ``` storage.imapsql local_mailboxes { ... msg_store s3 { ... } } ``` ### Patches The relevant commit is pushed to master and will be included in the 0.5.1 release. No special handling of the issue has been done due to the small amount of affected users. ### Workarounds None. ### References * Original report: https://github.com/foxcpp/maddy/issues/395 * Fix: https://github.com/foxcpp/maddy/commit/07c8495ee4394fabbf5aac4df8aebeafb2fb29d8

Metadata

Created: 2021-10-06T17:47:35Z
Modified: 2021-10-06T16:48:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-m6m5-pp4g-fcc8/GHSA-m6m5-pp4g-fcc8.json
CWE IDs: ["CWE-772"]
Alternative ID: N/A
Finding: F067
Auto approve: 1