MidnightBSD

Advisories for dovecot

CVE-2008-4577 MEDIUM

The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
canonical ubuntu_linux 9.04
opensuse opensuse 10.3-11.1
canonical ubuntu_linux 8.04
canonical ubuntu_linux 8.10
fedoraproject fedora 9
fedoraproject fedora 8
dovecot dovecot *
CVE-2009-3897 MEDIUM

Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-732,

Products Affected

Vendor Product Version
dovecot dovecot *
CVE-2010-0745 MEDIUM

Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows remote attackers to cause a denial of service (CPU consumption) via long headers in an e-mail message.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
dovecot dovecot 1.2.9
dovecot dovecot 1.2.5
dovecot dovecot 1.2.4
dovecot dovecot 1.2.1
dovecot dovecot 1.2.2
dovecot dovecot 1.2.8
dovecot dovecot 1.2.0
dovecot dovecot 1.2.6
dovecot dovecot 1.2.10
dovecot dovecot 1.2.3
dovecot dovecot 1.2.7
CVE-2010-3304 MEDIUM

The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to newly created mailboxes in certain configurations, which might allow remote attackers to read mailboxes that have unintended weak ACLs.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
dovecot dovecot 1.2.2
dovecot dovecot 1.2.8
dovecot dovecot 1.2.6
dovecot dovecot 1.2.11
dovecot dovecot 1.2.12
dovecot dovecot 1.2.7
dovecot dovecot 1.2.9
dovecot dovecot 1.2.5
dovecot dovecot 1.2.4
dovecot dovecot 1.2.1
dovecot dovecot 1.2.0
dovecot dovecot 1.2.10
dovecot dovecot 1.2.3
CVE-2010-3706 MEDIUM

plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving the private namespace of a user, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
dovecot dovecot 2.0.0
dovecot dovecot 1.2.2
dovecot dovecot 1.2.8
dovecot dovecot 1.2.6
dovecot dovecot 1.2.11
dovecot dovecot 1.2.12
dovecot dovecot 2.0.3
dovecot dovecot 1.2.7
dovecot dovecot 1.2.9
dovecot dovecot 2.0.4
dovecot dovecot 1.2.5
dovecot dovecot 1.2.4
dovecot dovecot 1.2.1
dovecot dovecot 1.2.13
dovecot dovecot 2.0.1
dovecot dovecot 1.2.0
dovecot dovecot 1.2.14
dovecot dovecot 1.2.10
dovecot dovecot 2.0.2
dovecot dovecot 1.2.3
CVE-2010-3707 MEDIUM

plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving more specific entries that occur after less specific entries, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
dovecot dovecot 2.0.0
dovecot dovecot 1.2.2
dovecot dovecot 1.2.8
dovecot dovecot 1.2.6
dovecot dovecot 1.2.11
dovecot dovecot 1.2.12
dovecot dovecot 2.0.3
dovecot dovecot 1.2.7
dovecot dovecot 1.2.9
dovecot dovecot 2.0.4
dovecot dovecot 1.2.5
dovecot dovecot 1.2.4
dovecot dovecot 1.2.1
dovecot dovecot 1.2.13
dovecot dovecot 2.0.1
dovecot dovecot 1.2.0
dovecot dovecot 1.2.14
dovecot dovecot 1.2.10
dovecot dovecot 2.0.2
dovecot dovecot 1.2.3
CVE-2010-3779 LOW

Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin permission to the owner of each mailbox in a non-public namespace, which might allow remote authenticated users to bypass intended access restrictions by changing the ACL of a mailbox, as demonstrated by a symlinked shared mailbox.

CVSS 2.0

Severity: LOW

Problem Type: CWE-264,

Products Affected

Vendor Product Version
dovecot dovecot 1.2.2
dovecot dovecot 1.2.8
dovecot dovecot 1.2.6
dovecot dovecot 1.2.11
dovecot dovecot 1.2.12
dovecot dovecot 1.2.7
dovecot dovecot 1.2.9
dovecot dovecot 1.2.5
dovecot dovecot 1.2.4
dovecot dovecot 1.2.1
dovecot dovecot 1.2.13
dovecot dovecot 2.0
dovecot dovecot 1.2.0
dovecot dovecot 1.2.14
dovecot dovecot 1.2.10
dovecot dovecot 1.2.3
CVE-2010-3780 MEDIUM

Dovecot 1.2.x before 1.2.15 allows remote authenticated users to cause a denial of service (master process outage) by simultaneously disconnecting many (1) IMAP or (2) POP3 sessions.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
dovecot dovecot 1.2.2
dovecot dovecot 1.2.8
dovecot dovecot 1.2.6
dovecot dovecot 1.2.11
dovecot dovecot 1.2.12
dovecot dovecot 1.2.7
dovecot dovecot 1.2.9
dovecot dovecot 1.2.5
dovecot dovecot 1.2.4
dovecot dovecot 1.2.1
dovecot dovecot 1.2.13
dovecot dovecot 1.2.0
dovecot dovecot 1.2.14
dovecot dovecot 1.2.10
dovecot dovecot 1.2.3
CVE-2011-1929 MEDIUM

lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle '\0' characters in header names, which allows remote attackers to cause a denial of service (daemon crash or mailbox corruption) via a crafted e-mail message.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
dovecot dovecot 2.0.0
dovecot dovecot 2.0.11
dovecot dovecot 2.0.9
dovecot dovecot 1.2.2
dovecot dovecot 1.2.8
dovecot dovecot 2.0.7
dovecot dovecot 1.2.6
dovecot dovecot 2.0.3
dovecot dovecot 1.2.7
dovecot dovecot 1.2.9
dovecot dovecot 2.0.8
dovecot dovecot 1.2.4
dovecot dovecot 2.0.6
dovecot dovecot 1.2.1
dovecot dovecot 2.0.1
dovecot dovecot 2.0.10
dovecot dovecot 1.2.14
dovecot dovecot 1.2.10
dovecot dovecot 2.0.2
dovecot dovecot 2.0.12
dovecot dovecot 1.2.3
dovecot dovecot 1.2.16
dovecot dovecot 1.2.11
dovecot dovecot 1.2.12
dovecot dovecot 1.2.15
dovecot dovecot 2.0.4
dovecot dovecot 1.2.5
dovecot dovecot 1.2.13
dovecot dovecot 2.0
dovecot dovecot 1.2.0
dovecot dovecot 2.0.5
CVE-2011-2166 MEDIUM

script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-16,

Products Affected

Vendor Product Version
dovecot dovecot 2.0.0
dovecot dovecot 2.0.11
dovecot dovecot 2.0.9
dovecot dovecot 2.0.7
dovecot dovecot 2.0.3
dovecot dovecot 2.0.4
dovecot dovecot 2.0.8
dovecot dovecot 2.0.6
dovecot dovecot 2.0.1
dovecot dovecot 2.0.10
dovecot dovecot 2.0.2
dovecot dovecot 2.0.12
dovecot dovecot 2.0.5
CVE-2011-2167 MEDIUM

script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
dovecot dovecot 2.0.0
dovecot dovecot 2.0.11
dovecot dovecot 2.0.9
dovecot dovecot 2.0.7
dovecot dovecot 2.0.3
dovecot dovecot 2.0.4
dovecot dovecot 2.0.8
dovecot dovecot 2.0.6
dovecot dovecot 2.0.1
dovecot dovecot 2.0.10
dovecot dovecot 2.0.2
dovecot dovecot 2.0.12
dovecot dovecot 2.0.5
CVE-2013-2111 MEDIUM

The IMAP functionality in Dovecot before 2.2.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via invalid APPEND parameters.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
dovecot dovecot 2.2.0
dovecot dovecot *
dovecot dovecot 2.2
CVE-2013-6171 MEDIUM

checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
dovecot dovecot 2.1.15
dovecot dovecot 2.0.0
dovecot dovecot 2.0.11
dovecot dovecot 2.0.9
dovecot dovecot 2.1.4
dovecot dovecot 2.1.14
dovecot dovecot 2.0.7
dovecot dovecot 2.0.3
dovecot dovecot 2.0.8
dovecot dovecot 2.1.13
dovecot dovecot 2.0.6
dovecot dovecot 2.2.1
dovecot dovecot 2.1.10
dovecot dovecot 2.0.1
dovecot dovecot 2.0.10
dovecot dovecot 2.1.1
dovecot dovecot 2.0.2
dovecot dovecot 2.1.7
dovecot dovecot 2.2.0
dovecot dovecot 2.2.4
dovecot dovecot 2.2.3
dovecot dovecot 2.0.12
dovecot dovecot 2.2
dovecot dovecot 2.1.0
dovecot dovecot 2.1.6
dovecot dovecot 2.0.13
dovecot dovecot 2.1.3
dovecot dovecot 2.2.2
dovecot dovecot 2.1.11
dovecot dovecot 2.2.5
dovecot dovecot 2.1.12
dovecot dovecot 2.0.15
dovecot dovecot 2.0.14
dovecot dovecot 2.1.5
dovecot dovecot 2.0.4
dovecot dovecot 2.1.2
dovecot dovecot 2.0
dovecot dovecot 2.1
dovecot dovecot *
dovecot dovecot 2.0.5
CVE-2014-3430 MEDIUM

Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
dovecot dovecot 1.1
dovecot dovecot 2.0.0
dovecot dovecot 2.0.11
dovecot dovecot 2.0.9
dovecot dovecot 1.2.2
dovecot dovecot 2.0.7
dovecot dovecot 1.2.7
dovecot dovecot 2.0.8
dovecot dovecot 1.2.4
dovecot dovecot 2.0.6
dovecot dovecot 2.2.1
dovecot dovecot 2.1.10
dovecot dovecot 1.2.1
dovecot dovecot 2.0.1
dovecot dovecot 1.2.14
dovecot dovecot 2.1.1
dovecot dovecot 2.0.2
dovecot dovecot 2.2.0
dovecot dovecot 2.2.4
dovecot dovecot 1.1.0
dovecot dovecot 1.2.3
dovecot dovecot 2.1.0
dovecot dovecot 2.1.6
dovecot dovecot 2.2.9
dovecot dovecot 2.2.2
dovecot dovecot 2.1.11
dovecot dovecot 1.2.11
dovecot dovecot 2.1.12
dovecot dovecot 1.2.12
dovecot dovecot 2.0.4
dovecot dovecot 1.2.5
dovecot dovecot 2.2.13
dovecot dovecot 1.2.0
dovecot dovecot 2.2.10
dovecot dovecot 2.0.5
dovecot dovecot 2.1.15
dovecot dovecot 1.1.4
dovecot dovecot 2.1.4
dovecot dovecot 1.2.8
dovecot dovecot 1.1.5
dovecot dovecot 1.1.6
dovecot dovecot 2.1.14
dovecot dovecot 1.2.6
dovecot dovecot 1.1.1
dovecot dovecot 2.0.3
dovecot dovecot 1.2.9
dovecot dovecot 2.1.13
dovecot dovecot 1.1.2
dovecot dovecot 2.2.7
dovecot dovecot 2.0.10
dovecot dovecot 1.2.10
dovecot dovecot 2.1.7
dovecot dovecot 2.2.3
dovecot dovecot 2.0.12
dovecot dovecot 2.2
dovecot dovecot 1.1.3
dovecot dovecot 2.0.13
dovecot dovecot 2.1.3
dovecot dovecot 2.2.8
dovecot dovecot 2.2.5
dovecot dovecot 2.0.15
dovecot dovecot 1.2.15
dovecot dovecot 2.0.14
dovecot dovecot 2.1.5
dovecot dovecot 2.2.6
dovecot dovecot 2.1.2
dovecot dovecot 1.2.13
dovecot dovecot 2.0
dovecot dovecot 2.1.8
dovecot dovecot 2.1
CVE-2015-3420 MEDIUM

The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service (login process crash) via vectors related to handshake failures.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
fedoraproject fedora 21
fedoraproject fedora 22
fedoraproject fedora 20
dovecot dovecot *
CVE-2016-4983 LOW

A postinstall script in the dovecot rpm allows local users to read the contents of newly created SSL/TLS key files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-732,

Products Affected

Vendor Product Version
opensuse opensuse 13.2
dovecot dovecot -
redhat enterprise_linux 6.0
redhat enterprise_linux 5.0
redhat enterprise_linux 4.0
opensuse leap 42.2
opensuse leap 42.1
redhat enterprise_linux 7.0
CVE-2016-8652 MEDIUM

The auth component in Dovecot before 2.2.27, when auth-policy is configured, allows a remote attackers to cause a denial of service (crash) by aborting authentication without setting a username.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
dovecot dovecot *
CVE-2017-14461 MEDIUM

A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,CWE-200,

Products Affected

Vendor Product Version
debian debian_linux 9.0
ubuntu ubuntu 16.04
debian debian_linux 8.0
ubuntu ubuntu 14.04
ubuntu ubuntu 17.10
dovecot dovecot 2.2.33.2
CVE-2017-15130 MEDIUM

A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
debian debian_linux 9.0
debian debian_linux 8.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 17.10
canonical ubuntu_linux 16.04
dovecot dovecot *
CVE-2017-15132 MEDIUM

A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-772,

Products Affected

Vendor Product Version
debian debian_linux 9.0
debian debian_linux 7.0
debian debian_linux 8.0
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
dovecot dovecot 2.3.0
canonical ubuntu_linux 17.10
canonical ubuntu_linux 16.04
dovecot dovecot *
CVE-2017-2669 MEDIUM

Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
debian debian_linux 8.0
dovecot dovecot *
CVE-2019-10691 MEDIUM

The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
opensuse leap 15.0
dovecot dovecot *
CVE-2019-11494 MEDIUM

In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
fedoraproject fedora 29
opensuse leap 15.0
fedoraproject fedora 30
opensuse leap 15.1
dovecot dovecot *
CVE-2019-11499 MEDIUM

In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 29
opensuse leap 15.0
fedoraproject fedora 30
opensuse leap 15.1
dovecot dovecot *
CVE-2019-11500 HIGH

In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 8.0
dovecot pigeonhole *
fedoraproject fedora 30
dovecot dovecot *
CVE-2019-19722 MEDIUM

In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
fedoraproject fedora 31
fedoraproject fedora 30
dovecot dovecot *
CVE-2019-3814 MEDIUM

It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,CWE-295,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
canonical ubuntu_linux 18.04
canonical ubuntu_linux 16.04
opensuse leap 42.3
dovecot dovecot *
CVE-2019-7524 HIGH

In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
debian debian_linux 9.0
debian debian_linux 8.0
canonical ubuntu_linux 14.04
canonical ubuntu_linux 18.10
opensuse leap 15.0
canonical ubuntu_linux 18.04
canonical ubuntu_linux 16.04
opensuse leap 42.3
dovecot dovecot *
CVE-2020-10957 MEDIUM

In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
dovecot dovecot *
CVE-2020-10958 MEDIUM

In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
dovecot dovecot *
CVE-2020-10967 MEDIUM

In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
dovecot dovecot *
CVE-2020-12100 MEDIUM

In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-674,

Products Affected

Vendor Product Version
debian debian_linux 9.0
canonical ubuntu_linux 20.04
fedoraproject fedora 33
canonical ubuntu_linux 14.04
debian debian_linux 10.0
fedoraproject fedora 31
fedoraproject fedora 32
canonical ubuntu_linux 18.04
canonical ubuntu_linux 16.04
dovecot dovecot *
CVE-2020-12673 MEDIUM

In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
debian debian_linux 9.0
canonical ubuntu_linux 20.04
fedoraproject fedora 33
canonical ubuntu_linux 14.04
debian debian_linux 10.0
fedoraproject fedora 31
fedoraproject fedora 32
canonical ubuntu_linux 18.04
canonical ubuntu_linux 16.04
dovecot dovecot *
CVE-2020-12674 MEDIUM

In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
debian debian_linux 9.0
canonical ubuntu_linux 20.04
fedoraproject fedora 33
canonical ubuntu_linux 14.04
debian debian_linux 10.0
fedoraproject fedora 31
fedoraproject fedora 32
canonical ubuntu_linux 18.04
canonical ubuntu_linux 16.04
dovecot dovecot *
CVE-2020-24386 MEDIUM

An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N 1.6 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
dovecot dovecot *
CVE-2020-25275 MEDIUM

Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 32
dovecot dovecot *
CVE-2020-28200 MEDIUM

The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 2.8 1.4
cve@mitre.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
fedoraproject fedora 33
fedoraproject fedora 34
dovecot dovecot *
CVE-2020-7046 HIGH

lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-835,

Products Affected

Vendor Product Version
fedoraproject fedora 31
fedoraproject fedora 30
dovecot dovecot *
CVE-2020-7957 MEDIUM

The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a denial of service in which the recipient cannot read all of their messages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
fedoraproject fedora 31
fedoraproject fedora 30
dovecot dovecot *
CVE-2021-29157 LOW

Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6
cve@mitre.org 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N 1.1 5.8

CVSS 2.0

Severity: LOW

Problem Type: CWE-22,

Products Affected

Vendor Product Version
fedoraproject fedora 33
fedoraproject fedora 34
dovecot dovecot *
CVE-2021-33515 MEDIUM

The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-77,

Products Affected

Vendor Product Version
fedoraproject fedora 33
debian debian_linux 10.0
fedoraproject fedora 34
dovecot dovecot *
CVE-2022-30550

An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
debian debian_linux 10.0
dovecot dovecot *
dovecot dovecot 2.2
CVE-2025-59031

Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@open-xchange.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
dovecot dovecot *
open-xchange dovecot *
CVE-2026-0394

When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characters, path traversal can happen if the domain component is directory partial. This allows inadvertently reading /etc/passwd (or some other path which ends with passwd). If this file contains passwords, it can be used to authenticate wrongly, or if this is userdb, it can unexpectly make system users appear valid users. Upgrade to fixed version, or use different authentication scheme that does not rely on paths. Alternatively you can also ensure that the per-domain passwd files are in some other location, such as /etc/dovecot/auth/%d. No publicly available exploits are known.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@open-xchange.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
dovecot dovecot *
open-xchange dovecot *
CVE-2026-24031

Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin. This vulnerability allows bypassing authentication for any user and user enumeration. Do not clear auth_username_chars. If this is not possible, install latest fixed version. No publicly available exploits are known.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@open-xchange.com 7.7 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L 2.2 5.5

Products Affected

Vendor Product Version
dovecot dovecot *
open-xchange dovecot *
CVE-2026-27855

Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are known.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@open-xchange.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N 1.6 5.2

Products Affected

Vendor Product Version
dovecot dovecot *
open-xchange dovecot *
CVE-2026-27856

Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected component. Limit access to the doveadm http service port, install fixed version. No publicly available exploits are known.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@open-xchange.com 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

Products Affected

Vendor Product Version
dovecot dovecot *
open-xchange dovecot *
CVE-2026-27860

If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly available exploits are known.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@open-xchange.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

Products Affected

Vendor Product Version
dovecot dovecot *
open-xchange dovecot *