汇总 fetchmail 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
常见弱点模式包括 输入验证问题、缓冲区溢出与路径处理缺陷,在 软件部署与生产负载 使用场景中可能带来 异常行为、应用崩溃与内存损坏 等风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2021-39272 | Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH. | [email protected] | 5.9 | 0.90% | 2021-08-30 | 2024-11-21 |
| CVE-2021-36386 | report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user. | [email protected] | 7.5 | 2.56% | 2021-07-30 | 2024-11-21 |
| CVE-2012-3482 | Fetchmail 5.0.8 through 6.3.21, when using NTLM authentication in debug mode, allows remote NTLM servers to (1) cause a denial of service (crash and delayed delivery of inbound mail) via a crafted NTLM response that triggers an out-of-bounds read in the base64 decoder, or (2) obtain sensitive information from memory via an NTLM Type 2 message with a crafted Target Name structure, which triggers an out-of-bounds read. | [email protected] | 5.8 | 1.87% | 2012-12-21 | 2026-04-29 |
| CVE-2011-1947 | fetchmail 5.9.9 through 6.3.19 does not properly limit the wait time after issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to cause a denial of service (application hang) by acknowledging the request but not sending additional packets. | [email protected] | 5.0 | 2.55% | 2011-06-02 | 2026-04-29 |
| CVE-2010-1167 | fetchmail 4.6.3 through 6.3.16, when debug mode is enabled, does not properly handle invalid characters in a multi-character locale, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted (1) message header or (2) POP3 UIDL list. | [email protected] | 4.3 | 2.21% | 2010-05-07 | 2026-04-29 |
| CVE-2010-0562 | The sdump function in sdump.c in fetchmail 6.3.11, 6.3.12, and 6.3.13, when running in verbose mode on platforms for which char is signed, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an SSL X.509 certificate containing non-printable characters with the high bit set, which triggers a heap-based buffer overflow during escaping. | [email protected] | 6.8 | 2.49% | 2010-02-08 | 2026-04-29 |
| CVE-2009-2666 | socket.c in fetchmail before 6.3.11 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | [email protected] | 6.4 | 1.50% | 2009-08-07 | 2026-04-23 |
| CVE-2008-2711 | fetchmail 6.3.8 and earlier, when running in -v -v (aka verbose) mode, allows remote attackers to cause a denial of service (crash and persistent mail failure) via a malformed mail message with long headers, which triggers an erroneous dereference when using vsnprintf to format log messages. | [email protected] | 4.3 | 3.00% | 2008-06-16 | 2026-04-23 |
| CVE-2007-4565 | sink.c in fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP. | [email protected] | 5.0 | 1.97% | 2007-08-28 | 2026-04-23 |
| CVE-2006-5974 | fetchmail 6.3.5 and 6.3.6 before 6.3.6-rc4, when refusing a message delivered via the mda option, allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger a NULL pointer dereference when calling the (1) ferror or (2) fflush functions. | [email protected] | 7.8 | 3.79% | 2006-12-31 | 2026-04-23 |
| CVE-2006-5867 | fetchmail before 6.3.6-rc4 does not properly enforce TLS and may transmit cleartext passwords over unsecured links if certain circumstances occur, which allows remote attackers to obtain sensitive information via man-in-the-middle (MITM) attacks. | [email protected] | 7.8 | 4.25% | 2006-12-31 | 2026-04-23 |
| CVE-2006-0321 | fetchmail 6.3.0 and other versions before 6.3.2 allows remote attackers to cause a denial of service (crash) via crafted e-mail messages that cause a free of an invalid pointer when fetchmail bounces the message to the originator or local postmaster. | [email protected] | 5.0 | 3.42% | 2006-01-24 | 2026-04-16 |
| CVE-2005-4348 | fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers. | [email protected] | 7.8 | 3.64% | 2005-12-21 | 2026-04-16 |
| CVE-2005-3088 | fetchmailconf before 1.49 in fetchmail 6.2.0, 6.2.5 and 6.2.5.2 creates configuration files with insecure world-readable permissions, which allows local users to obtain sensitive information such as passwords. | [email protected] | 2.1 | 0.45% | 2005-10-27 | 2026-04-16 |
| CVE-2005-2335 | Buffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows remote POP3 servers to cause a denial of service and possibly execute arbitrary code via long UIDL responses. NOTE: a typo in an advisory accidentally used the wrong CVE identifier for the Fetchmail issue. This is the correct identifier. | [email protected] | 5.0 | 5.88% | 2005-07-27 | 2026-04-16 |
| CVE-2003-0792 | Fetchmail 6.2.4 and earlier does not properly allocate memory for long lines, which allows remote attackers to cause a denial of service (crash) via a certain email. | [email protected] | 5.0 | 1.94% | 2003-11-17 | 2026-06-16 |
| CVE-2002-1365 | Heap-based buffer overflow in Fetchmail 6.1.3 and earlier does not account for the "@" character when determining buffer lengths for local addresses, which allows remote attackers to execute arbitrary code via a header with a large number of local addresses. | [email protected] | 7.5 | 4.95% | 2002-12-23 | 2026-06-16 |
| CVE-2002-1175 | The getmxrecord function in Fetchmail 6.0.0 and earlier does not properly check the boundary of a particular malformed DNS packet from a malicious DNS server, which allows remote attackers to cause a denial of service (crash) when Fetchmail attempts to read data beyond the expected boundary. | [email protected] | 5.0 | 1.99% | 2002-10-11 | 2026-06-16 |
| CVE-2002-1174 | Buffer overflows in Fetchmail 6.0.0 and earlier allow remote attackers to cause a denial of service (crash) or execute arbitrary code via (1) long headers that are not properly processed by the readheaders function, or (2) via long Received: headers, which are not properly parsed by the parse_received function. | [email protected] | 7.5 | 4.73% | 2002-10-11 | 2026-06-16 |
| CVE-2002-0146 | fetchmail email client before 5.9.10 does not properly limit the maximum number of messages available, which allows a remote IMAP server to overwrite memory via a message count that exceeds the boundaries of an array. | [email protected] | 5.0 | 1.49% | 2002-06-25 | 2026-06-16 |