Skip to content

Unspecified vulnerability in the fetchmail script

High
kaiyou published GHSA-2467-p5gv-58q6 Feb 10, 2020

Package

Mailu

Affected versions

all

Patched versions

>=1.5

Description

Impact

An authenticated user can exploit a vulnerability in Mailu fetchmail script and gain full access to a Mailu server. Details about the vulnerbaility and exploitation path will be published later.

Mailu servers that have open registration or untrusted users are most likely to be impacted.

Mailu servers that do not have the (optional) fetchmail feature enabled are not impacted.

Patches

  • The master and 1.7 branches are patched on our git repository.
  • All Docker images published on docker.io/mailu for tags 1.5, 1.6, 1.7 and master are patched.

For detailed instructions about patching and securing the server afterwards, see #1354

Workarounds

One of these workarounds should prevent exploitation:

  • Bring the fetchmail service down: docker-compose stop fetchmail
  • Bring the Mailu stack down: docker-compose stop

For detailed instructions, see #1354

References

  • Detailed instructions: #1354

For more information

If you have any questions or comments about this advisory, please comment on the dedicated thread: #1355

If you have specific questions that you cannot ask in public, please contact us at: contact@mailu.io.

Severity

High

CVE ID

CVE-2020-5239

Weaknesses

No CWEs