MidnightBSD

Advisories for trusteddomain

CVE-2019-16378 HIGH

OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 is prone to a signature-bypass vulnerability with multiple From: addresses, which might affect applications that consider a domain name to be relevant to the origin of an e-mail message.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-290,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 31
canonical ubuntu_linux 18.04
trusteddomain opendmarc *
trusteddomain opendmarc 1.4.0
fedoraproject fedora 29
fedoraproject fedora 30
debian debian_linux 9.0
CVE-2019-20790 MEDIUM

OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-290,

Products Affected

Vendor Product Version
fedoraproject fedora 34
trusteddomain opendmarc *
trusteddomain opendmarc 1.4.0
pypolicyd-spf_project pypolicyd-spf 2.0.2
fedoraproject fedora 33
CVE-2020-12272 MEDIUM

OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication results to provide false information about the domain that originated an e-mail message. This is caused by incorrect parsing and interpretation of SPF/DKIM authentication results, as demonstrated by the example.net(.example.com substring.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-290,

Products Affected

Vendor Product Version
fedoraproject fedora 34
trusteddomain opendmarc *
trusteddomain opendmarc 1.4.0
fedoraproject fedora 33
CVE-2020-12460 HIGH

OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null termination in the function opendmarc_xml_parse that can result in a one-byte heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate report. This can cause remote memory corruption when a '\0' byte overwrites the heap metadata of the next chunk and its PREV_INUSE flag.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
fedoraproject fedora 34
trusteddomain opendmarc *
trusteddomain opendmarc 1.4.0
debian debian_linux 9.0
fedoraproject fedora 33
CVE-2021-34555 MEDIUM

OpenDMARC 1.4.1 and 1.4.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a multi-value From header field.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
trusteddomain opendmarc 1.4.1
fedoraproject fedora 34
trusteddomain opendmarc 1.4.1.1
fedoraproject fedora 33
CVE-2024-25768

OpenDMARC 1.4.2 contains a null pointer dereference vulnerability in /OpenDMARC/libopendmarc/opendmarc_policy.c.

Products Affected

Vendor Product Version
trusteddomain opendmarc 1.4.2