Vulnerability Report

CVE-2009-0688

RCE

Title: Carnegie Mellon University Cyrus-Sasl RCE

RCE

Proof Of Concept

No public PoC currently indexed for CVE-2009-0688.

CWE Category CWE-119

Published Date May 15, 2009

Modified Date Apr 09, 2025

Exploit Status Not Found

Score 7.5 CVSS v2.0

Exploit Probability (EPSS)

39.48%

Vulnerability Summary

CVE-2009-0688: Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.

Impacted Vendors

carnegie_mellon_university 1

Reference Links

ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.23.tar.gz http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.html http://osvdb.org/54514 http://osvdb.org/54515 http://secunia.com/advisories/35094 http://secunia.com/advisories/35097 http://secunia.com/advisories/35102 http://secunia.com/advisories/35206 http://secunia.com/advisories/35239 http://secunia.com/advisories/35321 http://secunia.com/advisories/35416 http://secunia.com/advisories/35497 http://secunia.com/advisories/35746 http://secunia.com/advisories/39428 http://security.gentoo.org/glsa/glsa-200907-09.xml http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.448834 http://sunsolve.sun.com/search/document.do?assetkey=1-66-259148-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-264248-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-273910-1 http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020755.1-1 http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021699.1-1 http://support.apple.com/kb/HT4077 http://support.avaya.com/elmodocs2/security/ASA-2009-184.htm http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0091 http://www.debian.org/security/2009/dsa-1807 http://www.kb.cert.org/vuls/id/238019 http://www.mandriva.com/security/advisories?name=MDVSA-2009:113 http://www.oracle.com/technetwork/topics/security/cpuapr2010-099504.html http://www.redhat.com/support/errata/RHSA-2009-1116.html http://www.securityfocus.com/bid/34961 http://www.securitytracker.com/id?1022231 http://www.ubuntu.com/usn/usn-790-1 http://www.us-cert.gov/cas/techalerts/TA10-103B.html http://www.vupen.com/english/advisories/2009/1313 http://www.vupen.com/english/advisories/2009/2012 https://exchange.xforce.ibmcloud.com/vulnerabilities/50554 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10687 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6136 ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.23.tar.gz http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.html http://osvdb.org/54514 http://osvdb.org/54515 http://secunia.com/advisories/35094 http://secunia.com/advisories/35097 http://secunia.com/advisories/35102 http://secunia.com/advisories/35206 http://secunia.com/advisories/35239 http://secunia.com/advisories/35321 http://secunia.com/advisories/35416 http://secunia.com/advisories/35497 http://secunia.com/advisories/35746 http://secunia.com/advisories/39428 http://security.gentoo.org/glsa/glsa-200907-09.xml http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.448834 http://sunsolve.sun.com/search/document.do?assetkey=1-66-259148-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-264248-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-273910-1 http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020755.1-1 http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021699.1-1 http://support.apple.com/kb/HT4077 http://support.avaya.com/elmodocs2/security/ASA-2009-184.htm http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0091 http://www.debian.org/security/2009/dsa-1807 http://www.kb.cert.org/vuls/id/238019 http://www.mandriva.com/security/advisories?name=MDVSA-2009:113 http://www.oracle.com/technetwork/topics/security/cpuapr2010-099504.html http://www.redhat.com/support/errata/RHSA-2009-1116.html http://www.securityfocus.com/bid/34961 http://www.securitytracker.com/id?1022231 http://www.ubuntu.com/usn/usn-790-1 http://www.us-cert.gov/cas/techalerts/TA10-103B.html http://www.vupen.com/english/advisories/2009/1313 http://www.vupen.com/english/advisories/2009/2012 https://exchange.xforce.ibmcloud.com/vulnerabilities/50554 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10687 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6136

CVSS v2.0

Source Entity [email protected]

Severity HIGH

7.5

Access Vector

N/A

Authentication

N/A

RAW VECTOR AV:N/AC:L/Au:N/C:P/I:P/A:P

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2009-0688 Exploits & PoCs (Proof Of Concept)

No public PoCs found in our database for this CVE.

April 09, 2025 MODIFIED

Vulnerability data or affected products updated.

May 15, 2009 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector N/A

Complexity N/A

Privileges N/A

Interaction NONE

CVSS Vector String


                                    AV:N/AC:L/Au:N/C:P/I:P/A:P

Affected Stack

No specific products linked.