7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2015-10085

GHSA ID

GHSA-wr8h-w969-36m8

EPSS Score

0.12588%

CWE

CWE-404

Published

2/21/2023

Updated

10/20/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2015-10085

CVE-2015-10085: GoPistolet vulnerable to Improper Resource Shutdown or Release

A vulnerability was found in GoPistolet. It has been declared as problematic. This vulnerability affects unknown code of the component MTA. The manipulation leads to denial of service. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The name of the patch is b91aa4674d460993765884e8463c70e6d886bc90. It is recommended to apply a patch to fix this issue. VDB-221506 is the identifier assigned to this vulnerability.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2015-10085

GHSA ID

GHSA-wr8h-w969-36m8

EPSS Score

0.12588%

CWE

CWE-404

Published

2/21/2023

Updated

10/20/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/gopistolet/gopistolet	go	< 0.0.0-20210418093520-a5395f728f8d	0.0.0-20210418093520-a5395f728f8d

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key issues: 1) The GetCmd function in smtp/protocol.go lacked proper input validation (MAX_CMD_LINE checks) and error handling, as evidenced by the patch adding ReadUntil with length limits. 2) The HandleClient loop in mta/mta.go used fragile boolean checks instead of proper error handling, as shown by the patch replacing 'ok' with error propagation. The combination could allow attackers to exhaust resources through long/unterminated commands that kept connections open without proper cleanup.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in *oPistol*t. It **s ***n ***l*r** *s pro*l*m*ti*. T*is vuln*r**ility *****ts unknown *o** o* t** *ompon*nt MT*. T** m*nipul*tion l***s to **ni*l o* s*rvi**. *ontinious **liv*ry wit* rollin* r*l**s*s is us** *y t*is pro*u*t

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *) T** **t*m* *un*tion in smtp/proto*ol.*o l**k** prop*r input v*li**tion (M*X_*M*_LIN* ****ks) *n* *rror **n*lin*, *s *vi**n*** *y t** p*t** ***in* R***Until wit* l*n*t* limits. *) T** **n*l**li*nt loop i

7.5

Basic Information

Concerned about an active attack path?

CVE-2015-10085: GoPistolet vulnerable to Improper Resource Shutdown or Release

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI