GHSA-gmc6-fwg3-75m5
Denial of service vulnerability in MimeKit (NuGet)
What is GHSA-gmc6-fwg3-75m5 About?
This is a denial of service vulnerability affecting MimeKit when processing S/MIME messages or importing X.509 certificates. It allows attackers to trigger a DoS condition by providing specially crafted input, potentially disrupting service availability. Exploitation appears relatively straightforward given the specific conditions.
Affected Software
Technical Details
The vulnerability lies within MimeKit (versions >= v3.0.0 and <= v4.7.0) and affects its functionality when decrypting or verifying S/MIME messages, or when importing third-party X.509 certificates. Although specific technical mechanisms are not fully detailed in the provided description, it is indicated that the vulnerability is caused by a transitive dependency issue related to System.Security.Cryptography.Pkcs. Attackers can leverage this by sending malformed S/MIME messages or providing specially crafted X.509 certificates, leading to a denial of service due to the application's inability to properly process the cryptographic operations.
What is the Impact of GHSA-gmc6-fwg3-75m5?
Successful exploitation may allow attackers to cause a denial of service, rendering the affected application or service unavailable to legitimate users.
What is the Exploitability of GHSA-gmc6-fwg3-75m5?
Exploitation involves providing specially crafted S/MIME messages or X.509 certificates to an application that uses vulnerable versions of MimeKit. This indicates a remote attack vector where an attacker can send malicious content to the affected system. No specific authentication or privilege requirements are mentioned, suggesting it could be exploited by unauthenticated or low-privileged attackers able to interact with the S/MIME or certificate import features. The complexity appears moderate, requiring the attacker to understand the specific input format and the underlying cryptographic library's vulnerabilities. The presence of a PoC (though not fully detailed) and the potential for a direct denial of service impact increase the likelihood of exploitation for motivated adversaries.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-gmc6-fwg3-75m5?
Available Upgrade Options
- MimeKit
- >3.0.0, <4.7.1 → Upgrade to 4.7.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/jstedfast/MimeKit/commit/aef4eda75525848b992ce5e1f9b87399000fffb6
- https://github.com/jstedfast/MimeKit/security/advisories/GHSA-gmc6-fwg3-75m5
- https://osv.dev/vulnerability/GHSA-gmc6-fwg3-75m5
- https://github.com/jstedfast/MimeKit
- https://github.com/advisories/GHSA-447r-wph3-92pm
- https://github.com/dotnet/announcements/issues/312
What are Similar Vulnerabilities to GHSA-gmc6-fwg3-75m5?
Similar Vulnerabilities: CVE-2024-43483 , CVE-2023-38174 , CVE-2023-28292 , CVE-2023-29331 , CVE-2023-29328
