QwikSec

Security Database

CVE

CWE

Training

CVE-2021-3578

Published: Feb 16, 2022

Modified: Aug 3, 2024

PUBLISHED

Description

A flaw was found in mbsync before v1.3.6 and v1.4.2, where an unchecked pointer cast allows a malicious or compromised server to write an arbitrary integer value past the end of a heap-allocated structure by issuing an unexpected APPENDUID response. This could be plausibly exploited for remote code execution on the client.

Vendor	Product	Versions
n/a	isync	affected `isync 1.3.6, isync 1.4.2`

Weaknesses (CWE)

References

[oss-security] 20210607 CVE-2021-3578: possible remote code execution in isync/mbsync

mailing-list

x_refsource_MLIST

FEDORA-2021-f236f9f01a

vendor-advisory

x_refsource_FEDORA

FEDORA-2021-754af4d52b

vendor-advisory

x_refsource_FEDORA

https://bugzilla.redhat.com/show_bug.cgi?id=1961710

x_refsource_MISC

https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/

x_refsource_MISC

https://bugzilla.redhat.com/show_bug.cgi?id=1967397

x_refsource_MISC

https://www.openwall.com/lists/oss-security/2021/06/07/1

x_refsource_MISC

[debian-lts-announce] 20220701 [SECURITY] [DLA 3066-1] isync security update

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_GENTOO

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.