Unrated severityNVD Advisory· Published Oct 27, 2013· Updated Apr 29, 2026
CVE-2013-4122
CVE-2013-4122
Description
Cyrus SASL 2.1.23, 2.1.26, and earlier does not properly handle when a NULL value is returned upon an error by the crypt function as implemented in glibc 2.17 and later, which allows remote attackers to cause a denial of service (thread crash and consumption) via (1) an invalid salt or, when FIPS-140 is enabled, a (2) DES or (3) MD5 encrypted password, which triggers a NULL pointer dereference.
Affected products
9cpe:2.3:a:cmu:cyrus-sasl:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:a:cmu:cyrus-sasl:*:*:*:*:*:*:*:*range: <=2.1.26
- cpe:2.3:a:cmu:cyrus-sasl:1.5.28:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus-sasl:2.1.19:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus-sasl:2.1.20:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus-sasl:2.1.21:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus-sasl:2.1.22:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus-sasl:2.1.23:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus-sasl:2.1.24:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus-sasl:2.1.25:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- git.cyrusimap.org/cyrus-sasl/commit/nvdExploitPatch
- security.gentoo.org/glsa/glsa-201309-01.xmlnvd
- www.debian.org/security/2015/dsa-3368nvd
- www.openwall.com/lists/oss-security/2013/07/12/3nvd
- www.openwall.com/lists/oss-security/2013/07/12/6nvd
- www.openwall.com/lists/oss-security/2013/07/13/1nvd
- www.openwall.com/lists/oss-security/2013/07/15/1nvd
- www.ubuntu.com/usn/USN-2755-1nvd
- www.linuxquestions.org/questions/slackware-14/%5Bslackware-current%5D-glibc-2-17-shadow-and-other-penumbrae-4175461061/nvd
News mentions
0No linked articles in our index yet.