Assigned ID: CVE-2018-8950
- kopano-server/libkcserver component of Kopano Groupware Core, 8.6.0, 8.5.0–8.5.5, and 8.4.0–8.4.6
There were insufficient uniqueness constraints on one table's indexes. A local user could cause kopano-server to insert copies of a preexisting SQL row's data. When the data would later be retrieved again, the reader would get back all those extra pointless rows, which takes that much extra time (and, in some quantity, also memory) to process.
Observed in the real world: "names" table with 543K entries (about 2100 unique) leads to a delay of 3.7s when asking for `kopano-admin --details someuser` on Opteron 6180SE.
- Authenticated users may connect to kopano-server over its RPC transport (port 236, 237, and/or Unix pipe) and issue the getIDsFromNames RPC, asking for the same property.