Input validation error in Postfix - CVE-2003-0468
Published: June 8, 2025
Vulnerability identifier: #VU110624
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L/E:U/U:Green
CVE-ID: CVE-2003-0468
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Postfix.org
Affected software:
Postfix
Postfix
Detailed vulnerability description
The vulnerability allows a remote attacker to perform DDoS attacks against third-party systems.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can abuse Postfix to conduct "bounce scans" or DDos attacks of other hosts via an email address to the local host containing the target IP address and service name followed by a "!" string, which causes Postfix to attempt to use SMTP to communicate with the target on the associated port.
How to mitigate CVE-2003-0468
Install updates from vendor's website.
Sources
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000717
- http://marc.info/?l=bugtraq&m=106001525130257&w=2
- http://secunia.com/advisories/9433
- http://www.debian.org/security/2003/dsa-363
- http://www.mandriva.com/security/advisories?name=MDKSA-2003:081
- http://www.novell.com/linux/security/advisories/2003_033_postfix.html
- http://www.redhat.com/support/errata/RHSA-2003-251.html
- http://www.securityfocus.com/bid/8333
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A522