GHSA-m6m5-pp4g-fcc8: 
vulnerability analysis and mitigation

A high-severity vulnerability (GHSA-m6m5-pp4g-fcc8) was discovered in the foxcpp/maddy Go module, affecting versions prior to 0.5.1. The vulnerability was published on October 6, 2021, and involves S3 storage write operations not being properly aborted on errors, which can lead to unbounded memory usage. The issue specifically affects users implementing storage.blob.s3 (introduced in version 0.5.0) with storage.imapsql (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High severity) with the following base metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, Scope: Unchanged, Confidentiality: None, Integrity: None, and Availability: High. The vulnerability is categorized under CWE-772, which relates to missing release of resource after effective lifetime (GitHub Advisory).

The vulnerability affects systems using the specific configuration of storage.blob.s3 with storage.imapsql in their local_mailboxes setup. When triggered, the issue can lead to unbounded memory usage, potentially causing system resource exhaustion (GitHub Advisory).

The vulnerability has been patched in version 0.5.1 of the foxcpp/maddy module. The fix was pushed to the master branch, and no workarounds are available for affected versions. Due to the small number of affected users, no special handling of the issue was implemented (GitHub Advisory).