{"id":"CVE-2017-14230","details":"In the mboxlist_do_find function in imap/mboxlist.c in Cyrus IMAP before 3.0.4, an off-by-one error in prefix calculation for the LIST command caused use of uninitialized memory, which might allow remote attackers to obtain sensitive information or cause a denial of service (daemon crash) via a 'LIST \"\" \"Other Users\"' command.","modified":"2026-04-11T04:47:44.377587Z","published":"2017-09-10T07:29:00.177Z","references":[{"type":"ADVISORY","url":"https://lists.andrew.cmu.edu/pipermail/cyrus-announce/2017-September/000145.html"},{"type":"ADVISORY","url":"https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.4.html"},{"type":"REPORT","url":"https://github.com/cyrusimap/cyrus-imapd/issues/2132"},{"type":"FIX","url":"https://github.com/cyrusimap/cyrus-imapd/commit/6bd33275368edfa71ae117de895488584678ac79"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cyrusimap/cyrus-imapd","events":[{"introduced":"0"},{"last_affected":"1b4c53fe2193c72657b6108ec2e44e3e20bee22c"},{"fixed":"6bd33275368edfa71ae117de895488584678ac79"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.0.3"}]}}],"versions":["cyrus-imapd-2.4.0","cyrus-imapd-2.4.1","cyrus-imapd-2.4.2","cyrus-imapd-2.5-snapshot-autoconf-and-automake","cyrus-imapd-3.0.0","cyrus-imapd-3.0.0-beta1","cyrus-imapd-3.0.0-beta2","cyrus-imapd-3.0.0-beta3","cyrus-imapd-3.0.0-beta4","cyrus-imapd-3.0.0-beta5","cyrus-imapd-3.0.0-beta6","cyrus-imapd-3.0.0-rc1","cyrus-imapd-3.0.0-rc2","cyrus-imapd-3.0.0-rc3","cyrus-imapd-3.0.0-rc4","cyrus-imapd-3.0.1","cyrus-imapd-3.0.2","cyrus-imapd-3.0.3","posttab","pretab"],"database_specific":{"vanir_signatures":[{"id":"CVE-2017-14230-c356bb58","target":{"file":"imap/mboxlist.c","function":"mboxlist_do_find"},"digest":{"length":4774,"function_hash":"318003610013149923191349096931759050144"},"source":"https://github.com/cyrusimap/cyrus-imapd/commit/6bd33275368edfa71ae117de895488584678ac79","signature_version":"v1","deprecated":false,"signature_type":"Function"},{"id":"CVE-2017-14230-eb6e0977","target":{"file":"imap/mboxlist.c"},"digest":{"line_hashes":["303224277919733571194830660370096213491","233891236620404226887763782120200254053","236590487059679711452472757449154608425","102894069614395639556191154355283669943"],"threshold":0.9},"source":"https://github.com/cyrusimap/cyrus-imapd/commit/6bd33275368edfa71ae117de895488584678ac79","signature_version":"v1","deprecated":false,"signature_type":"Line"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-14230.json","vanir_signatures_modified":"2026-04-11T04:47:44Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"}]}