Vulnerabilities > CVE-2020-12460 - Out-of-bounds Write vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null termination in the function opendmarc_xml_parse that can result in a one-byte heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate report. This can cause remote memory corruption when a '\0' byte overwrites the heap metadata of the next chunk and its PREV_INUSE flag.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/trusteddomainproject/OpenDMARC/issues/64
- https://lists.debian.org/debian-lts-announce/2021/04/msg00026.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2D4JGHMALEJEWWG56DKR5OZB22TK7W5B/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JHDKMCZGE3W4XBP76NLI2Q7IOZHXLD4A/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBOGOQOK3TIWWJV66MW5YWNRJAFFYGR5/
- https://security.gentoo.org/glsa/202011-02
- https://sourceforge.net/projects/opendmarc/
- https://github.com/trusteddomainproject/OpenDMARC/issues/64
- https://sourceforge.net/projects/opendmarc/
- https://security.gentoo.org/glsa/202011-02
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBOGOQOK3TIWWJV66MW5YWNRJAFFYGR5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JHDKMCZGE3W4XBP76NLI2Q7IOZHXLD4A/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2D4JGHMALEJEWWG56DKR5OZB22TK7W5B/
- https://lists.debian.org/debian-lts-announce/2021/04/msg00026.html