The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-863,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 9.04 |
| opensuse | opensuse | 10.3-11.1 |
| canonical | ubuntu_linux | 8.04 |
| canonical | ubuntu_linux | 8.10 |
| fedoraproject | fedora | 9 |
| fedoraproject | fedora | 8 |
| dovecot | dovecot | * |
Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-732,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | * |
Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows remote attackers to cause a denial of service (CPU consumption) via long headers in an e-mail message.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | 1.2.9 |
| dovecot | dovecot | 1.2.5 |
| dovecot | dovecot | 1.2.4 |
| dovecot | dovecot | 1.2.1 |
| dovecot | dovecot | 1.2.2 |
| dovecot | dovecot | 1.2.8 |
| dovecot | dovecot | 1.2.0 |
| dovecot | dovecot | 1.2.6 |
| dovecot | dovecot | 1.2.10 |
| dovecot | dovecot | 1.2.3 |
| dovecot | dovecot | 1.2.7 |
The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to newly created mailboxes in certain configurations, which might allow remote attackers to read mailboxes that have unintended weak ACLs.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | 1.2.2 |
| dovecot | dovecot | 1.2.8 |
| dovecot | dovecot | 1.2.6 |
| dovecot | dovecot | 1.2.11 |
| dovecot | dovecot | 1.2.12 |
| dovecot | dovecot | 1.2.7 |
| dovecot | dovecot | 1.2.9 |
| dovecot | dovecot | 1.2.5 |
| dovecot | dovecot | 1.2.4 |
| dovecot | dovecot | 1.2.1 |
| dovecot | dovecot | 1.2.0 |
| dovecot | dovecot | 1.2.10 |
| dovecot | dovecot | 1.2.3 |
plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving the private namespace of a user, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | 2.0.0 |
| dovecot | dovecot | 1.2.2 |
| dovecot | dovecot | 1.2.8 |
| dovecot | dovecot | 1.2.6 |
| dovecot | dovecot | 1.2.11 |
| dovecot | dovecot | 1.2.12 |
| dovecot | dovecot | 2.0.3 |
| dovecot | dovecot | 1.2.7 |
| dovecot | dovecot | 1.2.9 |
| dovecot | dovecot | 2.0.4 |
| dovecot | dovecot | 1.2.5 |
| dovecot | dovecot | 1.2.4 |
| dovecot | dovecot | 1.2.1 |
| dovecot | dovecot | 1.2.13 |
| dovecot | dovecot | 2.0.1 |
| dovecot | dovecot | 1.2.0 |
| dovecot | dovecot | 1.2.14 |
| dovecot | dovecot | 1.2.10 |
| dovecot | dovecot | 2.0.2 |
| dovecot | dovecot | 1.2.3 |
plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving more specific entries that occur after less specific entries, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | 2.0.0 |
| dovecot | dovecot | 1.2.2 |
| dovecot | dovecot | 1.2.8 |
| dovecot | dovecot | 1.2.6 |
| dovecot | dovecot | 1.2.11 |
| dovecot | dovecot | 1.2.12 |
| dovecot | dovecot | 2.0.3 |
| dovecot | dovecot | 1.2.7 |
| dovecot | dovecot | 1.2.9 |
| dovecot | dovecot | 2.0.4 |
| dovecot | dovecot | 1.2.5 |
| dovecot | dovecot | 1.2.4 |
| dovecot | dovecot | 1.2.1 |
| dovecot | dovecot | 1.2.13 |
| dovecot | dovecot | 2.0.1 |
| dovecot | dovecot | 1.2.0 |
| dovecot | dovecot | 1.2.14 |
| dovecot | dovecot | 1.2.10 |
| dovecot | dovecot | 2.0.2 |
| dovecot | dovecot | 1.2.3 |
Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin permission to the owner of each mailbox in a non-public namespace, which might allow remote authenticated users to bypass intended access restrictions by changing the ACL of a mailbox, as demonstrated by a symlinked shared mailbox.
CVSS 2.0
Severity: LOW
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | 1.2.2 |
| dovecot | dovecot | 1.2.8 |
| dovecot | dovecot | 1.2.6 |
| dovecot | dovecot | 1.2.11 |
| dovecot | dovecot | 1.2.12 |
| dovecot | dovecot | 1.2.7 |
| dovecot | dovecot | 1.2.9 |
| dovecot | dovecot | 1.2.5 |
| dovecot | dovecot | 1.2.4 |
| dovecot | dovecot | 1.2.1 |
| dovecot | dovecot | 1.2.13 |
| dovecot | dovecot | 2.0 |
| dovecot | dovecot | 1.2.0 |
| dovecot | dovecot | 1.2.14 |
| dovecot | dovecot | 1.2.10 |
| dovecot | dovecot | 1.2.3 |
Dovecot 1.2.x before 1.2.15 allows remote authenticated users to cause a denial of service (master process outage) by simultaneously disconnecting many (1) IMAP or (2) POP3 sessions.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | 1.2.2 |
| dovecot | dovecot | 1.2.8 |
| dovecot | dovecot | 1.2.6 |
| dovecot | dovecot | 1.2.11 |
| dovecot | dovecot | 1.2.12 |
| dovecot | dovecot | 1.2.7 |
| dovecot | dovecot | 1.2.9 |
| dovecot | dovecot | 1.2.5 |
| dovecot | dovecot | 1.2.4 |
| dovecot | dovecot | 1.2.1 |
| dovecot | dovecot | 1.2.13 |
| dovecot | dovecot | 1.2.0 |
| dovecot | dovecot | 1.2.14 |
| dovecot | dovecot | 1.2.10 |
| dovecot | dovecot | 1.2.3 |
lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle '\0' characters in header names, which allows remote attackers to cause a denial of service (daemon crash or mailbox corruption) via a crafted e-mail message.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | 2.0.0 |
| dovecot | dovecot | 2.0.11 |
| dovecot | dovecot | 2.0.9 |
| dovecot | dovecot | 1.2.2 |
| dovecot | dovecot | 1.2.8 |
| dovecot | dovecot | 2.0.7 |
| dovecot | dovecot | 1.2.6 |
| dovecot | dovecot | 2.0.3 |
| dovecot | dovecot | 1.2.7 |
| dovecot | dovecot | 1.2.9 |
| dovecot | dovecot | 2.0.8 |
| dovecot | dovecot | 1.2.4 |
| dovecot | dovecot | 2.0.6 |
| dovecot | dovecot | 1.2.1 |
| dovecot | dovecot | 2.0.1 |
| dovecot | dovecot | 2.0.10 |
| dovecot | dovecot | 1.2.14 |
| dovecot | dovecot | 1.2.10 |
| dovecot | dovecot | 2.0.2 |
| dovecot | dovecot | 2.0.12 |
| dovecot | dovecot | 1.2.3 |
| dovecot | dovecot | 1.2.16 |
| dovecot | dovecot | 1.2.11 |
| dovecot | dovecot | 1.2.12 |
| dovecot | dovecot | 1.2.15 |
| dovecot | dovecot | 2.0.4 |
| dovecot | dovecot | 1.2.5 |
| dovecot | dovecot | 1.2.13 |
| dovecot | dovecot | 2.0 |
| dovecot | dovecot | 1.2.0 |
| dovecot | dovecot | 2.0.5 |
script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-16,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | 2.0.0 |
| dovecot | dovecot | 2.0.11 |
| dovecot | dovecot | 2.0.9 |
| dovecot | dovecot | 2.0.7 |
| dovecot | dovecot | 2.0.3 |
| dovecot | dovecot | 2.0.4 |
| dovecot | dovecot | 2.0.8 |
| dovecot | dovecot | 2.0.6 |
| dovecot | dovecot | 2.0.1 |
| dovecot | dovecot | 2.0.10 |
| dovecot | dovecot | 2.0.2 |
| dovecot | dovecot | 2.0.12 |
| dovecot | dovecot | 2.0.5 |
script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | 2.0.0 |
| dovecot | dovecot | 2.0.11 |
| dovecot | dovecot | 2.0.9 |
| dovecot | dovecot | 2.0.7 |
| dovecot | dovecot | 2.0.3 |
| dovecot | dovecot | 2.0.4 |
| dovecot | dovecot | 2.0.8 |
| dovecot | dovecot | 2.0.6 |
| dovecot | dovecot | 2.0.1 |
| dovecot | dovecot | 2.0.10 |
| dovecot | dovecot | 2.0.2 |
| dovecot | dovecot | 2.0.12 |
| dovecot | dovecot | 2.0.5 |
The IMAP functionality in Dovecot before 2.2.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via invalid APPEND parameters.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | 2.2.0 |
| dovecot | dovecot | * |
| dovecot | dovecot | 2.2 |
checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | 2.1.15 |
| dovecot | dovecot | 2.0.0 |
| dovecot | dovecot | 2.0.11 |
| dovecot | dovecot | 2.0.9 |
| dovecot | dovecot | 2.1.4 |
| dovecot | dovecot | 2.1.14 |
| dovecot | dovecot | 2.0.7 |
| dovecot | dovecot | 2.0.3 |
| dovecot | dovecot | 2.0.8 |
| dovecot | dovecot | 2.1.13 |
| dovecot | dovecot | 2.0.6 |
| dovecot | dovecot | 2.2.1 |
| dovecot | dovecot | 2.1.10 |
| dovecot | dovecot | 2.0.1 |
| dovecot | dovecot | 2.0.10 |
| dovecot | dovecot | 2.1.1 |
| dovecot | dovecot | 2.0.2 |
| dovecot | dovecot | 2.1.7 |
| dovecot | dovecot | 2.2.0 |
| dovecot | dovecot | 2.2.4 |
| dovecot | dovecot | 2.2.3 |
| dovecot | dovecot | 2.0.12 |
| dovecot | dovecot | 2.2 |
| dovecot | dovecot | 2.1.0 |
| dovecot | dovecot | 2.1.6 |
| dovecot | dovecot | 2.0.13 |
| dovecot | dovecot | 2.1.3 |
| dovecot | dovecot | 2.2.2 |
| dovecot | dovecot | 2.1.11 |
| dovecot | dovecot | 2.2.5 |
| dovecot | dovecot | 2.1.12 |
| dovecot | dovecot | 2.0.15 |
| dovecot | dovecot | 2.0.14 |
| dovecot | dovecot | 2.1.5 |
| dovecot | dovecot | 2.0.4 |
| dovecot | dovecot | 2.1.2 |
| dovecot | dovecot | 2.0 |
| dovecot | dovecot | 2.1 |
| dovecot | dovecot | * |
| dovecot | dovecot | 2.0.5 |
Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | 1.1 |
| dovecot | dovecot | 2.0.0 |
| dovecot | dovecot | 2.0.11 |
| dovecot | dovecot | 2.0.9 |
| dovecot | dovecot | 1.2.2 |
| dovecot | dovecot | 2.0.7 |
| dovecot | dovecot | 1.2.7 |
| dovecot | dovecot | 2.0.8 |
| dovecot | dovecot | 1.2.4 |
| dovecot | dovecot | 2.0.6 |
| dovecot | dovecot | 2.2.1 |
| dovecot | dovecot | 2.1.10 |
| dovecot | dovecot | 1.2.1 |
| dovecot | dovecot | 2.0.1 |
| dovecot | dovecot | 1.2.14 |
| dovecot | dovecot | 2.1.1 |
| dovecot | dovecot | 2.0.2 |
| dovecot | dovecot | 2.2.0 |
| dovecot | dovecot | 2.2.4 |
| dovecot | dovecot | 1.1.0 |
| dovecot | dovecot | 1.2.3 |
| dovecot | dovecot | 2.1.0 |
| dovecot | dovecot | 2.1.6 |
| dovecot | dovecot | 2.2.9 |
| dovecot | dovecot | 2.2.2 |
| dovecot | dovecot | 2.1.11 |
| dovecot | dovecot | 1.2.11 |
| dovecot | dovecot | 2.1.12 |
| dovecot | dovecot | 1.2.12 |
| dovecot | dovecot | 2.0.4 |
| dovecot | dovecot | 1.2.5 |
| dovecot | dovecot | 2.2.13 |
| dovecot | dovecot | 1.2.0 |
| dovecot | dovecot | 2.2.10 |
| dovecot | dovecot | 2.0.5 |
| dovecot | dovecot | 2.1.15 |
| dovecot | dovecot | 1.1.4 |
| dovecot | dovecot | 2.1.4 |
| dovecot | dovecot | 1.2.8 |
| dovecot | dovecot | 1.1.5 |
| dovecot | dovecot | 1.1.6 |
| dovecot | dovecot | 2.1.14 |
| dovecot | dovecot | 1.2.6 |
| dovecot | dovecot | 1.1.1 |
| dovecot | dovecot | 2.0.3 |
| dovecot | dovecot | 1.2.9 |
| dovecot | dovecot | 2.1.13 |
| dovecot | dovecot | 1.1.2 |
| dovecot | dovecot | 2.2.7 |
| dovecot | dovecot | 2.0.10 |
| dovecot | dovecot | 1.2.10 |
| dovecot | dovecot | 2.1.7 |
| dovecot | dovecot | 2.2.3 |
| dovecot | dovecot | 2.0.12 |
| dovecot | dovecot | 2.2 |
| dovecot | dovecot | 1.1.3 |
| dovecot | dovecot | 2.0.13 |
| dovecot | dovecot | 2.1.3 |
| dovecot | dovecot | 2.2.8 |
| dovecot | dovecot | 2.2.5 |
| dovecot | dovecot | 2.0.15 |
| dovecot | dovecot | 1.2.15 |
| dovecot | dovecot | 2.0.14 |
| dovecot | dovecot | 2.1.5 |
| dovecot | dovecot | 2.2.6 |
| dovecot | dovecot | 2.1.2 |
| dovecot | dovecot | 1.2.13 |
| dovecot | dovecot | 2.0 |
| dovecot | dovecot | 2.1.8 |
| dovecot | dovecot | 2.1 |
The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service (login process crash) via vectors related to handshake failures.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-295,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 21 |
| fedoraproject | fedora | 22 |
| fedoraproject | fedora | 20 |
| dovecot | dovecot | * |
A postinstall script in the dovecot rpm allows local users to read the contents of newly created SSL/TLS key files.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 1.8 | 1.4 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-732,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| opensuse | opensuse | 13.2 |
| dovecot | dovecot | - |
| redhat | enterprise_linux | 6.0 |
| redhat | enterprise_linux | 5.0 |
| redhat | enterprise_linux | 4.0 |
| opensuse | leap | 42.2 |
| opensuse | leap | 42.1 |
| redhat | enterprise_linux | 7.0 |
The auth component in Dovecot before 2.2.27, when auth-policy is configured, allows a remote attackers to cause a denial of service (crash) by aborting authentication without setting a username.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | * |
A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-125,CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| ubuntu | ubuntu | 16.04 |
| debian | debian_linux | 8.0 |
| ubuntu | ubuntu | 14.04 |
| ubuntu | ubuntu | 17.10 |
| dovecot | dovecot | 2.2.33.2 |
A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-400,NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 17.10 |
| canonical | ubuntu_linux | 16.04 |
| dovecot | dovecot | * |
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-400,CWE-772,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| debian | debian_linux | 7.0 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| dovecot | dovecot | 2.3.0 |
| canonical | ubuntu_linux | 17.10 |
| canonical | ubuntu_linux | 16.04 |
| dovecot | dovecot | * |
Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 8.0 |
| dovecot | dovecot | * |
The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| opensuse | leap | 15.0 |
| dovecot | dovecot | * |
In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 29 |
| opensuse | leap | 15.0 |
| fedoraproject | fedora | 30 |
| opensuse | leap | 15.1 |
| dovecot | dovecot | * |
In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 29 |
| opensuse | leap | 15.0 |
| fedoraproject | fedora | 30 |
| opensuse | leap | 15.1 |
| dovecot | dovecot | * |
In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 8.0 |
| dovecot | pigeonhole | * |
| fedoraproject | fedora | 30 |
| dovecot | dovecot | * |
In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 31 |
| fedoraproject | fedora | 30 |
| dovecot | dovecot | * |
It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-295,CWE-295,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 18.10 |
| canonical | ubuntu_linux | 18.04 |
| canonical | ubuntu_linux | 16.04 |
| opensuse | leap | 42.3 |
| dovecot | dovecot | * |
In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 18.10 |
| opensuse | leap | 15.0 |
| canonical | ubuntu_linux | 18.04 |
| canonical | ubuntu_linux | 16.04 |
| opensuse | leap | 42.3 |
| dovecot | dovecot | * |
In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | * |
In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | * |
In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | * |
In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-674,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 20.04 |
| fedoraproject | fedora | 33 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 31 |
| fedoraproject | fedora | 32 |
| canonical | ubuntu_linux | 18.04 |
| canonical | ubuntu_linux | 16.04 |
| dovecot | dovecot | * |
In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 20.04 |
| fedoraproject | fedora | 33 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 31 |
| fedoraproject | fedora | 32 |
| canonical | ubuntu_linux | 18.04 |
| canonical | ubuntu_linux | 16.04 |
| dovecot | dovecot | * |
In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 20.04 |
| fedoraproject | fedora | 33 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 31 |
| fedoraproject | fedora | 32 |
| canonical | ubuntu_linux | 18.04 |
| canonical | ubuntu_linux | 16.04 |
| dovecot | dovecot | * |
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N | 1.6 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| dovecot | dovecot | * |
Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 32 |
| dovecot | dovecot | * |
The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 2.8 | 1.4 |
| cve@mitre.org | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 2.8 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-770,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 33 |
| fedoraproject | fedora | 34 |
| dovecot | dovecot | * |
lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-835,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 31 |
| fedoraproject | fedora | 30 |
| dovecot | dovecot | * |
The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a denial of service in which the recipient cannot read all of their messages.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 31 |
| fedoraproject | fedora | 30 |
| dovecot | dovecot | * |
Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
| cve@mitre.org | 7.5 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N | 1.1 | 5.8 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 33 |
| fedoraproject | fedora | 34 |
| dovecot | dovecot | * |
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N | 2.2 | 2.5 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-77,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 33 |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 34 |
| dovecot | dovecot | * |
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 10.0 |
| dovecot | dovecot | * |
| dovecot | dovecot | 2.2 |
Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@open-xchange.com | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 2.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | * |
| open-xchange | dovecot | * |
When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characters, path traversal can happen if the domain component is directory partial. This allows inadvertently reading /etc/passwd (or some other path which ends with passwd). If this file contains passwords, it can be used to authenticate wrongly, or if this is userdb, it can unexpectly make system users appear valid users. Upgrade to fixed version, or use different authentication scheme that does not rely on paths. Alternatively you can also ensure that the per-domain passwd files are in some other location, such as /etc/dovecot/auth/%d. No publicly available exploits are known.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@open-xchange.com | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | * |
| open-xchange | dovecot | * |
Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin. This vulnerability allows bypassing authentication for any user and user enumeration. Do not clear auth_username_chars. If this is not possible, install latest fixed version. No publicly available exploits are known.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@open-xchange.com | 7.7 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L | 2.2 | 5.5 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | * |
| open-xchange | dovecot | * |
Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are known.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@open-xchange.com | 6.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N | 1.6 | 5.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | * |
| open-xchange | dovecot | * |
Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected component. Limit access to the doveadm http service port, install fixed version. No publicly available exploits are known.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@open-xchange.com | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | 2.2 | 5.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | * |
| open-xchange | dovecot | * |
If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly available exploits are known.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@open-xchange.com | 3.7 | LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N | 2.2 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dovecot | dovecot | * |
| open-xchange | dovecot | * |