Vulnerabilites related to dovecot - dovecot
cve-2008-1199
Vulnerability from cvelistv5
Published
2008-03-06 21:00
Modified
2024-08-07 08:17
Severity ?
EPSS score ?
Summary
Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:17:33.897Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "GLSA-200803-25",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
},
{
"name": "oval:org.mitre.oval:def:10739",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL",
"x_transferred"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739"
},
{
"name": "[Dovecot-news] 20080504 v1.0.11 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html"
},
{
"name": "29557",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29557"
},
{
"name": "20080304 Dovecot mail_extra_groups setting is often used insecurely",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded"
},
{
"name": "30342",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/30342"
},
{
"name": "RHSA-2008:0297",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"name": "DSA-1516",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2008/dsa-1516"
},
{
"name": "USN-593-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/593-1/"
},
{
"name": "FEDORA-2008-2475",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
},
{
"name": "SUSE-SR:2008:020",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
},
{
"name": "28092",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/28092"
},
{
"name": "29226",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29226"
},
{
"name": "32151",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32151"
},
{
"name": "29385",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29385"
},
{
"name": "dovecot-mailextragroups-unauth-access(41009)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009"
},
{
"name": "FEDORA-2008-2464",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
},
{
"name": "29396",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29396"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-03-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "GLSA-200803-25",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
},
{
"name": "oval:org.mitre.oval:def:10739",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739"
},
{
"name": "[Dovecot-news] 20080504 v1.0.11 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html"
},
{
"name": "29557",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29557"
},
{
"name": "20080304 Dovecot mail_extra_groups setting is often used insecurely",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded"
},
{
"name": "30342",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/30342"
},
{
"name": "RHSA-2008:0297",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"name": "DSA-1516",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2008/dsa-1516"
},
{
"name": "USN-593-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/593-1/"
},
{
"name": "FEDORA-2008-2475",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
},
{
"name": "SUSE-SR:2008:020",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
},
{
"name": "28092",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/28092"
},
{
"name": "29226",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29226"
},
{
"name": "32151",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32151"
},
{
"name": "29385",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29385"
},
{
"name": "dovecot-mailextragroups-unauth-access(41009)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009"
},
{
"name": "FEDORA-2008-2464",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
},
{
"name": "29396",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29396"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-1199",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "GLSA-200803-25",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
},
{
"name": "oval:org.mitre.oval:def:10739",
"refsource": "OVAL",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739"
},
{
"name": "[Dovecot-news] 20080504 v1.0.11 released",
"refsource": "MLIST",
"url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html"
},
{
"name": "29557",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29557"
},
{
"name": "20080304 Dovecot mail_extra_groups setting is often used insecurely",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded"
},
{
"name": "30342",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/30342"
},
{
"name": "RHSA-2008:0297",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"name": "DSA-1516",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2008/dsa-1516"
},
{
"name": "USN-593-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/593-1/"
},
{
"name": "FEDORA-2008-2475",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
},
{
"name": "SUSE-SR:2008:020",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
},
{
"name": "28092",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/28092"
},
{
"name": "29226",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29226"
},
{
"name": "32151",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32151"
},
{
"name": "29385",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29385"
},
{
"name": "dovecot-mailextragroups-unauth-access(41009)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009"
},
{
"name": "FEDORA-2008-2464",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
},
{
"name": "29396",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29396"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-1199",
"datePublished": "2008-03-06T21:00:00",
"dateReserved": "2008-03-06T00:00:00",
"dateUpdated": "2024-08-07T08:17:33.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-3779
Vulnerability from cvelistv5
Published
2010-10-06 20:00
Modified
2024-08-07 03:18
Severity ?
EPSS score ?
Summary
Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin permission to the owner of each mailbox in a non-public namespace, which might allow remote authenticated users to bypass intended access restrictions by changing the ACL of a mailbox, as demonstrated by a symlinked shared mailbox.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.ubuntu.com/usn/USN-1059-1 | vendor-advisory, x_refsource_UBUNTU | |
| http://www.mandriva.com/security/advisories?name=MDVSA-2010:217 | vendor-advisory, x_refsource_MANDRIVA | |
| http://secunia.com/advisories/43220 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.vupen.com/english/advisories/2011/0301 | vdb-entry, x_refsource_VUPEN | |
| http://www.dovecot.org/list/dovecot/2010-October/053450.html | mailing-list, x_refsource_MLIST | |
| http://www.dovecot.org/list/dovecot/2010-October/053452.html | mailing-list, x_refsource_MLIST | |
| http://www.vupen.com/english/advisories/2010/2840 | vdb-entry, x_refsource_VUPEN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:18:53.196Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "USN-1059-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"name": "MDVSA-2010:217",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"name": "43220",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/43220"
},
{
"name": "ADV-2011-0301",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2011/0301"
},
{
"name": "[dovecot] 20101002 v1.2.15 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"
},
{
"name": "[dovecot] 20101002 ACL handling bugs in v1.2.8+ and v2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053452.html"
},
{
"name": "ADV-2010-2840",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/2840"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-10-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin permission to the owner of each mailbox in a non-public namespace, which might allow remote authenticated users to bypass intended access restrictions by changing the ACL of a mailbox, as demonstrated by a symlinked shared mailbox."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-11-19T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "USN-1059-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"name": "MDVSA-2010:217",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"name": "43220",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/43220"
},
{
"name": "ADV-2011-0301",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2011/0301"
},
{
"name": "[dovecot] 20101002 v1.2.15 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"
},
{
"name": "[dovecot] 20101002 ACL handling bugs in v1.2.8+ and v2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053452.html"
},
{
"name": "ADV-2010-2840",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/2840"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-3779",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin permission to the owner of each mailbox in a non-public namespace, which might allow remote authenticated users to bypass intended access restrictions by changing the ACL of a mailbox, as demonstrated by a symlinked shared mailbox."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "USN-1059-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"name": "MDVSA-2010:217",
"refsource": "MANDRIVA",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"name": "43220",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/43220"
},
{
"name": "ADV-2011-0301",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2011/0301"
},
{
"name": "[dovecot] 20101002 v1.2.15 released",
"refsource": "MLIST",
"url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"
},
{
"name": "[dovecot] 20101002 ACL handling bugs in v1.2.8+ and v2.0",
"refsource": "MLIST",
"url": "http://www.dovecot.org/list/dovecot/2010-October/053452.html"
},
{
"name": "ADV-2010-2840",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2010/2840"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-3779",
"datePublished": "2010-10-06T20:00:00",
"dateReserved": "2010-10-06T00:00:00",
"dateUpdated": "2024-08-07T03:18:53.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-3814
Vulnerability from cvelistv5
Published
2019-03-27 12:20
Modified
2024-08-04 19:19
Severity ?
EPSS score ?
Summary
It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.dovecot.org/list/dovecot/2019-February/114575.html | x_refsource_MISC | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814 | x_refsource_CONFIRM | |
| http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html | vendor-advisory, x_refsource_SUSE | |
| https://security.gentoo.org/glsa/201904-19 | vendor-advisory, x_refsource_GENTOO | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/ | vendor-advisory, x_refsource_FEDORA | |
| https://access.redhat.com/errata/RHSA-2019:3467 | vendor-advisory, x_refsource_REDHAT |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:19:18.590Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.dovecot.org/list/dovecot/2019-February/114575.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814"
},
{
"name": "openSUSE-SU-2019:1220",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html"
},
{
"name": "GLSA-201904-19",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201904-19"
},
{
"name": "FEDORA-2019-9e004decea",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"name": "FEDORA-2019-1b61a528dd",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"name": "RHSA-2019:3467",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3467"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "dovecot",
"vendor": "dovecot",
"versions": [
{
"status": "affected",
"version": "2.2.36.1"
},
{
"status": "affected",
"version": "2.3.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T00:08:03",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.dovecot.org/list/dovecot/2019-February/114575.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814"
},
{
"name": "openSUSE-SU-2019:1220",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html"
},
{
"name": "GLSA-201904-19",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201904-19"
},
{
"name": "FEDORA-2019-9e004decea",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"name": "FEDORA-2019-1b61a528dd",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"name": "RHSA-2019:3467",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3467"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-3814",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "dovecot",
"version": {
"version_data": [
{
"version_value": "2.2.36.1"
},
{
"version_value": "2.3.4.1"
}
]
}
}
]
},
"vendor_name": "dovecot"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "7.7/CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.dovecot.org/list/dovecot/2019-February/114575.html",
"refsource": "MISC",
"url": "https://www.dovecot.org/list/dovecot/2019-February/114575.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814"
},
{
"name": "openSUSE-SU-2019:1220",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html"
},
{
"name": "GLSA-201904-19",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201904-19"
},
{
"name": "FEDORA-2019-9e004decea",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"name": "FEDORA-2019-1b61a528dd",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"name": "RHSA-2019:3467",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3467"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-3814",
"datePublished": "2019-03-27T12:20:45",
"dateReserved": "2019-01-03T00:00:00",
"dateUpdated": "2024-08-04T19:19:18.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-3706
Vulnerability from cvelistv5
Published
2010-10-06 16:00
Modified
2024-08-07 03:18
Severity ?
EPSS score ?
Summary
plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving the private namespace of a user, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:18:52.956Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20101004 Re: CVE Request: more dovecot ACL issues",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=oss-security\u0026m=128622064325688\u0026w=2"
},
{
"name": "USN-1059-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"name": "SUSE-SR:2010:020",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"
},
{
"name": "ADV-2010-2572",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/2572"
},
{
"name": "[oss-security] 20101004 CVE Request: more dovecot ACL issues",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=oss-security\u0026m=128620520732377\u0026w=2"
},
{
"name": "MDVSA-2010:217",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"name": "43220",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/43220"
},
{
"name": "ADV-2011-0301",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2011/0301"
},
{
"name": "[dovecot] 20101002 v1.2.15 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"
},
{
"name": "[dovecot] 20101002 ACL handling bugs in v1.2.8+ and v2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053452.html"
},
{
"name": "ADV-2010-2840",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/2840"
},
{
"name": "[dovecot] 20101002 v2.0.5 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053451.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-10-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving the private namespace of a user, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-11-19T10:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20101004 Re: CVE Request: more dovecot ACL issues",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=oss-security\u0026m=128622064325688\u0026w=2"
},
{
"name": "USN-1059-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"name": "SUSE-SR:2010:020",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"
},
{
"name": "ADV-2010-2572",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/2572"
},
{
"name": "[oss-security] 20101004 CVE Request: more dovecot ACL issues",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=oss-security\u0026m=128620520732377\u0026w=2"
},
{
"name": "MDVSA-2010:217",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"name": "43220",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/43220"
},
{
"name": "ADV-2011-0301",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2011/0301"
},
{
"name": "[dovecot] 20101002 v1.2.15 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"
},
{
"name": "[dovecot] 20101002 ACL handling bugs in v1.2.8+ and v2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053452.html"
},
{
"name": "ADV-2010-2840",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/2840"
},
{
"name": "[dovecot] 20101002 v2.0.5 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053451.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-3706",
"datePublished": "2010-10-06T16:00:00",
"dateReserved": "2010-10-01T00:00:00",
"dateUpdated": "2024-08-07T03:18:52.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-4983
Vulnerability from cvelistv5
Published
2019-11-05 21:45
Modified
2024-08-06 00:46
Severity ?
EPSS score ?
Summary
A postinstall script in the dovecot rpm allows local users to read the contents of newly created SSL/TLS key files.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.suse.com/show_bug.cgi?id=984639 | x_refsource_MISC | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1346055 | x_refsource_MISC | |
| http://lists.opensuse.org/opensuse-updates/2016-11/msg00096.html | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:46:39.893Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=984639"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1346055"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-11/msg00096.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "dovecot22",
"vendor": "Fedora",
"versions": [
{
"status": "affected",
"version": "dovecot22-2.2.25-3.1"
}
]
},
{
"product": "dovecot22",
"vendor": "Fedora",
"versions": [
{
"status": "affected",
"version": "dovecot22-2.2.18-9.1"
}
]
},
{
"product": "dovecot22",
"vendor": "Fedora",
"versions": [
{
"status": "affected",
"version": "dovecot22-2.2.13-3.7.1"
}
]
}
],
"datePublic": "2016-06-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A postinstall script in the dovecot rpm allows local users to read the contents of newly created SSL/TLS key files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Other",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T21:45:36",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=984639"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1346055"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-11/msg00096.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-4983",
"datePublished": "2019-11-05T21:45:36",
"dateReserved": "2016-05-24T00:00:00",
"dateUpdated": "2024-08-06T00:46:39.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-2111
Vulnerability from cvelistv5
Published
2014-05-27 15:00
Modified
2024-08-06 15:27
Severity ?
EPSS score ?
Summary
The IMAP functionality in Dovecot before 2.2.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via invalid APPEND parameters.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/53492 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securitytracker.com/id/1028585 | vdb-entry, x_refsource_SECTRACK | |
| http://www.openwall.com/lists/oss-security/2013/05/24/1 | mailing-list, x_refsource_MLIST | |
| http://www.dovecot.org/list/dovecot-news/2013-May/000255.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:27:40.826Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "53492",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/53492"
},
{
"name": "1028585",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1028585"
},
{
"name": "[oss-security] 20130524 Re: CVE request: dovecot : \"APPEND\" Parameters Processing Denial of Service Vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/05/24/1"
},
{
"name": "[Dovecot-news] 20130520 v2.2.2 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot-news/2013-May/000255.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-05-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The IMAP functionality in Dovecot before 2.2.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via invalid APPEND parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-05-27T14:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "53492",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/53492"
},
{
"name": "1028585",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1028585"
},
{
"name": "[oss-security] 20130524 Re: CVE request: dovecot : \"APPEND\" Parameters Processing Denial of Service Vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/05/24/1"
},
{
"name": "[Dovecot-news] 20130520 v2.2.2 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot-news/2013-May/000255.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2111",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The IMAP functionality in Dovecot before 2.2.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via invalid APPEND parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "53492",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/53492"
},
{
"name": "1028585",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1028585"
},
{
"name": "[oss-security] 20130524 Re: CVE request: dovecot : \"APPEND\" Parameters Processing Denial of Service Vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/05/24/1"
},
{
"name": "[Dovecot-news] 20130520 v2.2.2 released",
"refsource": "MLIST",
"url": "http://www.dovecot.org/list/dovecot-news/2013-May/000255.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2111",
"datePublished": "2014-05-27T15:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:27:40.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-10957
Vulnerability from cvelistv5
Published
2020-05-18 13:56
Modified
2024-08-04 11:21
Severity ?
EPSS score ?
Summary
In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:13.823Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"name": "[oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"name": "USN-4361-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4361-1/"
},
{
"name": "20200519 Multiple vulnerabilities in Dovecot IMAP server",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2020/May/37"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html"
},
{
"name": "DSA-4690",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4690"
},
{
"name": "FEDORA-2020-1dee17d880",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/"
},
{
"name": "openSUSE-SU-2020:0720",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html"
},
{
"name": "FEDORA-2020-b60344c987",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:H/C:N/I:N/PR:N/S:U/UI:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-28T03:06:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"name": "[oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"name": "USN-4361-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4361-1/"
},
{
"name": "20200519 Multiple vulnerabilities in Dovecot IMAP server",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2020/May/37"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html"
},
{
"name": "DSA-4690",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4690"
},
{
"name": "FEDORA-2020-1dee17d880",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/"
},
{
"name": "openSUSE-SU-2020:0720",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html"
},
{
"name": "FEDORA-2020-b60344c987",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-10957",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:H/C:N/I:N/PR:N/S:U/UI:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dovecot.org/security",
"refsource": "MISC",
"url": "https://dovecot.org/security"
},
{
"name": "https://www.openwall.com/lists/oss-security/2020/05/18/1",
"refsource": "CONFIRM",
"url": "https://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"name": "[oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"name": "USN-4361-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4361-1/"
},
{
"name": "20200519 Multiple vulnerabilities in Dovecot IMAP server",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2020/May/37"
},
{
"name": "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html"
},
{
"name": "DSA-4690",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4690"
},
{
"name": "FEDORA-2020-1dee17d880",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/"
},
{
"name": "openSUSE-SU-2020:0720",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html"
},
{
"name": "FEDORA-2020-b60344c987",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-10957",
"datePublished": "2020-05-18T13:56:25",
"dateReserved": "2020-03-25T00:00:00",
"dateUpdated": "2024-08-04T11:21:13.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-1218
Vulnerability from cvelistv5
Published
2008-03-10 23:00
Modified
2024-08-07 08:17
Severity ?
EPSS score ?
Summary
Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass the password check via a password containing TAB characters, which are treated as argument delimiters that enable the skip_password_check field to be specified.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:17:34.499Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "GLSA-200803-25",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
},
{
"name": "29295",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29295"
},
{
"name": "dovecot-tab-authentication-bypass(41085)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41085"
},
{
"name": "5257",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/5257"
},
{
"name": "29557",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29557"
},
{
"name": "DSA-1516",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2008/dsa-1516"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108"
},
{
"name": "USN-593-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/593-1/"
},
{
"name": "FEDORA-2008-2475",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
},
{
"name": "29364",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29364"
},
{
"name": "SUSE-SR:2008:020",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.rpath.com/browse/RPL-2341"
},
{
"name": "[Dovecot-news] 20080309 Security hole #6: Some passdbs allowed users to log in without a valid password",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot-news/2008-March/000064.html"
},
{
"name": "[Dovecot-news] 20080309 v1.0.13 and v1.1.rc3 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot-news/2008-March/000065.html"
},
{
"name": "29226",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29226"
},
{
"name": "20080312 rPSA-2008-0108-1 dovecot",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/489481/100/0/threaded"
},
{
"name": "32151",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32151"
},
{
"name": "29385",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29385"
},
{
"name": "FEDORA-2008-2464",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
},
{
"name": "28181",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/28181"
},
{
"name": "29396",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29396"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-03-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass the password check via a password containing TAB characters, which are treated as argument delimiters that enable the skip_password_check field to be specified."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "GLSA-200803-25",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
},
{
"name": "29295",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29295"
},
{
"name": "dovecot-tab-authentication-bypass(41085)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41085"
},
{
"name": "5257",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/5257"
},
{
"name": "29557",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29557"
},
{
"name": "DSA-1516",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2008/dsa-1516"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108"
},
{
"name": "USN-593-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/593-1/"
},
{
"name": "FEDORA-2008-2475",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
},
{
"name": "29364",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29364"
},
{
"name": "SUSE-SR:2008:020",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.rpath.com/browse/RPL-2341"
},
{
"name": "[Dovecot-news] 20080309 Security hole #6: Some passdbs allowed users to log in without a valid password",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot-news/2008-March/000064.html"
},
{
"name": "[Dovecot-news] 20080309 v1.0.13 and v1.1.rc3 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot-news/2008-March/000065.html"
},
{
"name": "29226",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29226"
},
{
"name": "20080312 rPSA-2008-0108-1 dovecot",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/489481/100/0/threaded"
},
{
"name": "32151",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32151"
},
{
"name": "29385",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29385"
},
{
"name": "FEDORA-2008-2464",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
},
{
"name": "28181",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/28181"
},
{
"name": "29396",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29396"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-1218",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass the password check via a password containing TAB characters, which are treated as argument delimiters that enable the skip_password_check field to be specified."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "GLSA-200803-25",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
},
{
"name": "29295",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29295"
},
{
"name": "dovecot-tab-authentication-bypass(41085)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41085"
},
{
"name": "5257",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/5257"
},
{
"name": "29557",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29557"
},
{
"name": "DSA-1516",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2008/dsa-1516"
},
{
"name": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108",
"refsource": "MISC",
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108"
},
{
"name": "USN-593-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/593-1/"
},
{
"name": "FEDORA-2008-2475",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
},
{
"name": "29364",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29364"
},
{
"name": "SUSE-SR:2008:020",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
},
{
"name": "https://issues.rpath.com/browse/RPL-2341",
"refsource": "CONFIRM",
"url": "https://issues.rpath.com/browse/RPL-2341"
},
{
"name": "[Dovecot-news] 20080309 Security hole #6: Some passdbs allowed users to log in without a valid password",
"refsource": "MLIST",
"url": "http://www.dovecot.org/list/dovecot-news/2008-March/000064.html"
},
{
"name": "[Dovecot-news] 20080309 v1.0.13 and v1.1.rc3 released",
"refsource": "MLIST",
"url": "http://www.dovecot.org/list/dovecot-news/2008-March/000065.html"
},
{
"name": "29226",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29226"
},
{
"name": "20080312 rPSA-2008-0108-1 dovecot",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/489481/100/0/threaded"
},
{
"name": "32151",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32151"
},
{
"name": "29385",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29385"
},
{
"name": "FEDORA-2008-2464",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
},
{
"name": "28181",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/28181"
},
{
"name": "29396",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29396"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-1218",
"datePublished": "2008-03-10T23:00:00",
"dateReserved": "2008-03-09T00:00:00",
"dateUpdated": "2024-08-07T08:17:34.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-10958
Vulnerability from cvelistv5
Published
2020-05-18 14:00
Modified
2024-08-04 11:21
Severity ?
EPSS score ?
Summary
In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:13.881Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"name": "[oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"name": "USN-4361-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4361-1/"
},
{
"name": "20200519 Multiple vulnerabilities in Dovecot IMAP server",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2020/May/37"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html"
},
{
"name": "DSA-4690",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4690"
},
{
"name": "FEDORA-2020-1dee17d880",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/"
},
{
"name": "openSUSE-SU-2020:0720",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html"
},
{
"name": "FEDORA-2020-b60344c987",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:L/C:N/I:N/PR:N/S:U/UI:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-28T03:06:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"name": "[oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"name": "USN-4361-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4361-1/"
},
{
"name": "20200519 Multiple vulnerabilities in Dovecot IMAP server",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2020/May/37"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html"
},
{
"name": "DSA-4690",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4690"
},
{
"name": "FEDORA-2020-1dee17d880",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/"
},
{
"name": "openSUSE-SU-2020:0720",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html"
},
{
"name": "FEDORA-2020-b60344c987",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-10958",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:L/C:N/I:N/PR:N/S:U/UI:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dovecot.org/security",
"refsource": "MISC",
"url": "https://dovecot.org/security"
},
{
"name": "https://www.openwall.com/lists/oss-security/2020/05/18/1",
"refsource": "CONFIRM",
"url": "https://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"name": "[oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"name": "USN-4361-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4361-1/"
},
{
"name": "20200519 Multiple vulnerabilities in Dovecot IMAP server",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2020/May/37"
},
{
"name": "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html"
},
{
"name": "DSA-4690",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4690"
},
{
"name": "FEDORA-2020-1dee17d880",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/"
},
{
"name": "openSUSE-SU-2020:0720",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html"
},
{
"name": "FEDORA-2020-b60344c987",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-10958",
"datePublished": "2020-05-18T14:00:33",
"dateReserved": "2020-03-25T00:00:00",
"dateUpdated": "2024-08-04T11:21:13.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2007-2231
Vulnerability from cvelistv5
Published
2007-04-25 15:00
Modified
2024-08-07 13:33
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T13:33:27.439Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "USN-487-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/usn-487-1"
},
{
"name": "30342",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/30342"
},
{
"name": "RHSA-2008:0297",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"name": "23552",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/23552"
},
{
"name": "DSA-1359",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2007/dsa-1359"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://dovecot.org/doc/NEWS"
},
{
"name": "[dovecot-cvs] 20070330 dovecot/src/lib-storage/index/mbox mbox-storage.c, 1.145.2.14, 1.145.2.15",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://dovecot.org/list/dovecot-cvs/2007-March/008488.html"
},
{
"name": "oval:org.mitre.oval:def:10995",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL",
"x_transferred"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995"
},
{
"name": "dovecot-mboxstorage-directory-traversal(34082)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34082"
},
{
"name": "SUSE-SR:2007:008",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://www.novell.com/linux/security/advisories/2007_8_sr.html"
},
{
"name": "ADV-2007-1452",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/1452"
},
{
"name": "[dovecot-news] 20070330 Security hole #3: zlib plugin allows opening any gziped mboxes",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://dovecot.org/list/dovecot-news/2007-March/000038.html"
},
{
"name": "25072",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/25072"
},
{
"name": "20070418 rPSA-2007-0074-1 dovecot",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/466168/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-04-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "USN-487-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/usn-487-1"
},
{
"name": "30342",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/30342"
},
{
"name": "RHSA-2008:0297",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"name": "23552",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/23552"
},
{
"name": "DSA-1359",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2007/dsa-1359"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://dovecot.org/doc/NEWS"
},
{
"name": "[dovecot-cvs] 20070330 dovecot/src/lib-storage/index/mbox mbox-storage.c, 1.145.2.14, 1.145.2.15",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://dovecot.org/list/dovecot-cvs/2007-March/008488.html"
},
{
"name": "oval:org.mitre.oval:def:10995",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995"
},
{
"name": "dovecot-mboxstorage-directory-traversal(34082)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34082"
},
{
"name": "SUSE-SR:2007:008",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://www.novell.com/linux/security/advisories/2007_8_sr.html"
},
{
"name": "ADV-2007-1452",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/1452"
},
{
"name": "[dovecot-news] 20070330 Security hole #3: zlib plugin allows opening any gziped mboxes",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://dovecot.org/list/dovecot-news/2007-March/000038.html"
},
{
"name": "25072",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/25072"
},
{
"name": "20070418 rPSA-2007-0074-1 dovecot",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/466168/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-2231",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "USN-487-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/usn-487-1"
},
{
"name": "30342",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/30342"
},
{
"name": "RHSA-2008:0297",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"name": "23552",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/23552"
},
{
"name": "DSA-1359",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2007/dsa-1359"
},
{
"name": "http://dovecot.org/doc/NEWS",
"refsource": "CONFIRM",
"url": "http://dovecot.org/doc/NEWS"
},
{
"name": "[dovecot-cvs] 20070330 dovecot/src/lib-storage/index/mbox mbox-storage.c, 1.145.2.14, 1.145.2.15",
"refsource": "MLIST",
"url": "http://dovecot.org/list/dovecot-cvs/2007-March/008488.html"
},
{
"name": "oval:org.mitre.oval:def:10995",
"refsource": "OVAL",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995"
},
{
"name": "dovecot-mboxstorage-directory-traversal(34082)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34082"
},
{
"name": "SUSE-SR:2007:008",
"refsource": "SUSE",
"url": "http://www.novell.com/linux/security/advisories/2007_8_sr.html"
},
{
"name": "ADV-2007-1452",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/1452"
},
{
"name": "[dovecot-news] 20070330 Security hole #3: zlib plugin allows opening any gziped mboxes",
"refsource": "MLIST",
"url": "http://dovecot.org/list/dovecot-news/2007-March/000038.html"
},
{
"name": "25072",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/25072"
},
{
"name": "20070418 rPSA-2007-0074-1 dovecot",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/466168/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-2231",
"datePublished": "2007-04-25T15:00:00",
"dateReserved": "2007-04-25T00:00:00",
"dateUpdated": "2024-08-07T13:33:27.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-4907
Vulnerability from cvelistv5
Published
2008-11-04 00:00
Modified
2024-08-07 10:31
Severity ?
EPSS score ?
Summary
The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka "invalid message address parsing bug."
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.dovecot.org/list/dovecot-news/2008-October/000089.html | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/33149 | third-party-advisory, x_refsource_SECUNIA | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/46227 | vdb-entry, x_refsource_XF | |
| http://www.ubuntu.com/usn/usn-666-1 | vendor-advisory, x_refsource_UBUNTU | |
| http://www.securityfocus.com/bid/31997 | vdb-entry, x_refsource_BID | |
| http://security.gentoo.org/glsa/glsa-200812-16.xml | vendor-advisory, x_refsource_GENTOO | |
| http://secunia.com/advisories/32677 | third-party-advisory, x_refsource_SECUNIA | |
| http://secunia.com/advisories/32479 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:31:28.281Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[Dovecot-news] 20081030 v1.1.6 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot-news/2008-October/000089.html"
},
{
"name": "33149",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/33149"
},
{
"name": "dovecot-mail-header-dos(46227)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46227"
},
{
"name": "USN-666-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/usn-666-1"
},
{
"name": "31997",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/31997"
},
{
"name": "GLSA-200812-16",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"name": "32677",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32677"
},
{
"name": "32479",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32479"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-10-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka \"invalid message address parsing bug.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[Dovecot-news] 20081030 v1.1.6 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot-news/2008-October/000089.html"
},
{
"name": "33149",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/33149"
},
{
"name": "dovecot-mail-header-dos(46227)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46227"
},
{
"name": "USN-666-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/usn-666-1"
},
{
"name": "31997",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/31997"
},
{
"name": "GLSA-200812-16",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"name": "32677",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32677"
},
{
"name": "32479",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32479"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-4907",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka \"invalid message address parsing bug.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[Dovecot-news] 20081030 v1.1.6 released",
"refsource": "MLIST",
"url": "http://www.dovecot.org/list/dovecot-news/2008-October/000089.html"
},
{
"name": "33149",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/33149"
},
{
"name": "dovecot-mail-header-dos(46227)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46227"
},
{
"name": "USN-666-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/usn-666-1"
},
{
"name": "31997",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/31997"
},
{
"name": "GLSA-200812-16",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"name": "32677",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32677"
},
{
"name": "32479",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32479"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-4907",
"datePublished": "2008-11-04T00:00:00",
"dateReserved": "2008-11-03T00:00:00",
"dateUpdated": "2024-08-07T10:31:28.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-7046
Vulnerability from cvelistv5
Published
2020-02-12 16:40
Modified
2024-08-04 09:18
Severity ?
EPSS score ?
Summary
lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop.
References
| ▼ | URL | Tags |
|---|---|---|
| https://dovecot.org/security | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2020/02/12/1 | x_refsource_CONFIRM | |
| https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html | x_refsource_CONFIRM | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/ | vendor-advisory, x_refsource_FEDORA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:18:02.989Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/02/12/1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html"
},
{
"name": "FEDORA-2020-10a58fda28",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/"
},
{
"name": "FEDORA-2020-0e6a67af5a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:H/C:N/I:N/PR:N/S:U/UI:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-20T06:06:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.openwall.com/lists/oss-security/2020/02/12/1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html"
},
{
"name": "FEDORA-2020-10a58fda28",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/"
},
{
"name": "FEDORA-2020-0e6a67af5a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-7046",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:H/C:N/I:N/PR:N/S:U/UI:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dovecot.org/security",
"refsource": "MISC",
"url": "https://dovecot.org/security"
},
{
"name": "http://www.openwall.com/lists/oss-security/2020/02/12/1",
"refsource": "CONFIRM",
"url": "http://www.openwall.com/lists/oss-security/2020/02/12/1"
},
{
"name": "https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html",
"refsource": "CONFIRM",
"url": "https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html"
},
{
"name": "FEDORA-2020-10a58fda28",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/"
},
{
"name": "FEDORA-2020-0e6a67af5a",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-7046",
"datePublished": "2020-02-12T16:40:16",
"dateReserved": "2020-01-14T00:00:00",
"dateUpdated": "2024-08-04T09:18:02.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-5301
Vulnerability from cvelistv5
Published
2008-12-01 17:00
Modified
2024-08-07 10:49
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in the ManageSieve implementation in Dovecot 1.0.15, 1.1, and 1.2 allows remote attackers to read and modify arbitrary .sieve files via a ".." (dot dot) in a script name.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/46672 | vdb-entry, x_refsource_XF | |
| http://www.vupen.com/english/advisories/2008/3190 | vdb-entry, x_refsource_VUPEN | |
| http://www.ubuntu.com/usn/USN-838-1 | vendor-advisory, x_refsource_UBUNTU | |
| http://www.dovecot.org/list/dovecot/2008-November/035259.html | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/32768 | third-party-advisory, x_refsource_SECUNIA | |
| http://secunia.com/advisories/36904 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/32582 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:49:12.314Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "managesieve-sieve-directory-traversal(46672)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46672"
},
{
"name": "ADV-2008-3190",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/3190"
},
{
"name": "USN-838-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-838-1"
},
{
"name": "[Dovecot] 20081117 ManageSieve SECURITY hole: virtual users can edit scripts of other virtual users (all versions)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot/2008-November/035259.html"
},
{
"name": "32768",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32768"
},
{
"name": "36904",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36904"
},
{
"name": "32582",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/32582"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-11-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the ManageSieve implementation in Dovecot 1.0.15, 1.1, and 1.2 allows remote attackers to read and modify arbitrary .sieve files via a \"..\" (dot dot) in a script name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "managesieve-sieve-directory-traversal(46672)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46672"
},
{
"name": "ADV-2008-3190",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/3190"
},
{
"name": "USN-838-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-838-1"
},
{
"name": "[Dovecot] 20081117 ManageSieve SECURITY hole: virtual users can edit scripts of other virtual users (all versions)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot/2008-November/035259.html"
},
{
"name": "32768",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32768"
},
{
"name": "36904",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36904"
},
{
"name": "32582",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/32582"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-5301",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in the ManageSieve implementation in Dovecot 1.0.15, 1.1, and 1.2 allows remote attackers to read and modify arbitrary .sieve files via a \"..\" (dot dot) in a script name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "managesieve-sieve-directory-traversal(46672)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46672"
},
{
"name": "ADV-2008-3190",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/3190"
},
{
"name": "USN-838-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-838-1"
},
{
"name": "[Dovecot] 20081117 ManageSieve SECURITY hole: virtual users can edit scripts of other virtual users (all versions)",
"refsource": "MLIST",
"url": "http://www.dovecot.org/list/dovecot/2008-November/035259.html"
},
{
"name": "32768",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32768"
},
{
"name": "36904",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36904"
},
{
"name": "32582",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/32582"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-5301",
"datePublished": "2008-12-01T17:00:00",
"dateReserved": "2008-12-01T00:00:00",
"dateUpdated": "2024-08-07T10:49:12.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-24386
Vulnerability from cvelistv5
Published
2021-01-04 16:25
Modified
2024-08-04 15:12
Severity ?
EPSS score ?
Summary
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).
References
| ▼ | URL | Tags |
|---|---|---|
| https://dovecot.org/security | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2021/01/04/4 | x_refsource_CONFIRM | |
| https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html | x_refsource_CONFIRM | |
| https://doc.dovecot.org/configuration_manual/hibernation/ | x_refsource_MISC | |
| https://www.debian.org/security/2021/dsa-4825 | vendor-advisory, x_refsource_DEBIAN | |
| http://seclists.org/fulldisclosure/2021/Jan/18 | mailing-list, x_refsource_FULLDISC | |
| http://packetstormsecurity.com/files/160842/Dovecot-2.3.11.3-Access-Bypass.html | x_refsource_MISC | |
| https://security.gentoo.org/glsa/202101-01 | vendor-advisory, x_refsource_GENTOO | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/ | vendor-advisory, x_refsource_FEDORA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:12:08.740Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://doc.dovecot.org/configuration_manual/hibernation/"
},
{
"name": "DSA-4825",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4825"
},
{
"name": "20210106 CVE-2020-24386: IMAP hibernation allows accessing other peoples mail",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Jan/18"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/160842/Dovecot-2.3.11.3-Access-Bypass.html"
},
{
"name": "GLSA-202101-01",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202101-01"
},
{
"name": "FEDORA-2021-c90cb486f7",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users\u0027 email messages (and path disclosure)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-20T02:06:06",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://doc.dovecot.org/configuration_manual/hibernation/"
},
{
"name": "DSA-4825",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4825"
},
{
"name": "20210106 CVE-2020-24386: IMAP hibernation allows accessing other peoples mail",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Jan/18"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/160842/Dovecot-2.3.11.3-Access-Bypass.html"
},
{
"name": "GLSA-202101-01",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202101-01"
},
{
"name": "FEDORA-2021-c90cb486f7",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/"
}
],
"x_ConverterErrors": {
"cvssV3_1": {
"error": "CVSSV3_1 data from v4 record is invalid",
"message": "Missing mandatory metrics \"AV\""
}
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-24386",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users\u0027 email messages (and path disclosure)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"availabilityImpact": "NONE",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:H/A:N/C:H/I:H/PR:L/S:C/UI:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dovecot.org/security",
"refsource": "MISC",
"url": "https://dovecot.org/security"
},
{
"name": "http://www.openwall.com/lists/oss-security/2021/01/04/4",
"refsource": "CONFIRM",
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/4"
},
{
"name": "https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html",
"refsource": "CONFIRM",
"url": "https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html"
},
{
"name": "https://doc.dovecot.org/configuration_manual/hibernation/",
"refsource": "MISC",
"url": "https://doc.dovecot.org/configuration_manual/hibernation/"
},
{
"name": "DSA-4825",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4825"
},
{
"name": "20210106 CVE-2020-24386: IMAP hibernation allows accessing other peoples mail",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2021/Jan/18"
},
{
"name": "http://packetstormsecurity.com/files/160842/Dovecot-2.3.11.3-Access-Bypass.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/160842/Dovecot-2.3.11.3-Access-Bypass.html"
},
{
"name": "GLSA-202101-01",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202101-01"
},
{
"name": "FEDORA-2021-c90cb486f7",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24386",
"datePublished": "2021-01-04T16:25:43",
"dateReserved": "2020-08-19T00:00:00",
"dateUpdated": "2024-08-04T15:12:08.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-33515
Vulnerability from cvelistv5
Published
2021-06-28 12:04
Modified
2024-08-03 23:50
Severity ?
EPSS score ?
Summary
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.
References
| ▼ | URL | Tags |
|---|---|---|
| https://dovecot.org/security | x_refsource_MISC | |
| https://www.openwall.com/lists/oss-security/2021/06/28/2 | x_refsource_CONFIRM | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/ | vendor-advisory, x_refsource_FEDORA | |
| https://security.gentoo.org/glsa/202107-41 | vendor-advisory, x_refsource_GENTOO | |
| https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:42.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2021/06/28/2"
},
{
"name": "FEDORA-2021-208340a217",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/"
},
{
"name": "FEDORA-2021-891c1ab1ac",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/"
},
{
"name": "GLSA-202107-41",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202107-41"
},
{
"name": "[debian-lts-announce] 20220927 [SECURITY] [DLA 3122-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-27T05:06:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openwall.com/lists/oss-security/2021/06/28/2"
},
{
"name": "FEDORA-2021-208340a217",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/"
},
{
"name": "FEDORA-2021-891c1ab1ac",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/"
},
{
"name": "GLSA-202107-41",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202107-41"
},
{
"name": "[debian-lts-announce] 20220927 [SECURITY] [DLA 3122-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-33515",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dovecot.org/security",
"refsource": "MISC",
"url": "https://dovecot.org/security"
},
{
"name": "https://www.openwall.com/lists/oss-security/2021/06/28/2",
"refsource": "CONFIRM",
"url": "https://www.openwall.com/lists/oss-security/2021/06/28/2"
},
{
"name": "FEDORA-2021-208340a217",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/"
},
{
"name": "FEDORA-2021-891c1ab1ac",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/"
},
{
"name": "GLSA-202107-41",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202107-41"
},
{
"name": "[debian-lts-announce] 20220927 [SECURITY] [DLA 3122-1] dovecot security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-33515",
"datePublished": "2021-06-28T12:04:59",
"dateReserved": "2021-05-24T00:00:00",
"dateUpdated": "2024-08-03T23:50:42.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11494
Vulnerability from cvelistv5
Published
2019-05-08 17:04
Modified
2024-08-04 22:55
Severity ?
EPSS score ?
Summary
In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.dovecot.org/security.html | x_refsource_MISC | |
| https://www.dovecot.org/download.html | x_refsource_MISC | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/ | vendor-advisory, x_refsource_FEDORA | |
| http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html | vendor-advisory, x_refsource_SUSE |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:40.377Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.dovecot.org/security.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.dovecot.org/download.html"
},
{
"name": "FEDORA-2019-9e004decea",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"name": "FEDORA-2019-1b61a528dd",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"name": "openSUSE-SU-2019:2281",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html"
},
{
"name": "openSUSE-SU-2019:2278",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:H/C:N/I:N/PR:N/S:U/UI:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T20:06:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.dovecot.org/security.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.dovecot.org/download.html"
},
{
"name": "FEDORA-2019-9e004decea",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"name": "FEDORA-2019-1b61a528dd",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"name": "openSUSE-SU-2019:2281",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html"
},
{
"name": "openSUSE-SU-2019:2278",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11494",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:H/C:N/I:N/PR:N/S:U/UI:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.dovecot.org/security.html",
"refsource": "MISC",
"url": "https://www.dovecot.org/security.html"
},
{
"name": "https://www.dovecot.org/download.html",
"refsource": "MISC",
"url": "https://www.dovecot.org/download.html"
},
{
"name": "FEDORA-2019-9e004decea",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"name": "FEDORA-2019-1b61a528dd",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"name": "openSUSE-SU-2019:2281",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html"
},
{
"name": "openSUSE-SU-2019:2278",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11494",
"datePublished": "2019-05-08T17:04:02",
"dateReserved": "2019-04-23T00:00:00",
"dateUpdated": "2024-08-04T22:55:40.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11499
Vulnerability from cvelistv5
Published
2019-05-08 17:00
Modified
2024-08-04 22:55
Severity ?
EPSS score ?
Summary
In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.dovecot.org/security.html | x_refsource_MISC | |
| https://www.dovecot.org/download.html | x_refsource_MISC | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/ | vendor-advisory, x_refsource_FEDORA | |
| http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html | vendor-advisory, x_refsource_SUSE |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:40.396Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.dovecot.org/security.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.dovecot.org/download.html"
},
{
"name": "FEDORA-2019-9e004decea",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"name": "FEDORA-2019-1b61a528dd",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"name": "openSUSE-SU-2019:2281",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html"
},
{
"name": "openSUSE-SU-2019:2278",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T20:06:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.dovecot.org/security.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.dovecot.org/download.html"
},
{
"name": "FEDORA-2019-9e004decea",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"name": "FEDORA-2019-1b61a528dd",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"name": "openSUSE-SU-2019:2281",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html"
},
{
"name": "openSUSE-SU-2019:2278",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11499",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.dovecot.org/security.html",
"refsource": "MISC",
"url": "https://www.dovecot.org/security.html"
},
{
"name": "https://www.dovecot.org/download.html",
"refsource": "MISC",
"url": "https://www.dovecot.org/download.html"
},
{
"name": "FEDORA-2019-9e004decea",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"name": "FEDORA-2019-1b61a528dd",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"name": "openSUSE-SU-2019:2281",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html"
},
{
"name": "openSUSE-SU-2019:2278",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11499",
"datePublished": "2019-05-08T17:00:15",
"dateReserved": "2019-04-24T00:00:00",
"dateUpdated": "2024-08-04T22:55:40.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-4318
Vulnerability from cvelistv5
Published
2013-03-07 01:00
Modified
2024-08-07 00:01
Severity ?
EPSS score ?
Summary
Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/46886 | third-party-advisory, x_refsource_SECUNIA | |
| http://rhn.redhat.com/errata/RHSA-2013-0520.html | vendor-advisory, x_refsource_REDHAT | |
| https://bugs.gentoo.org/show_bug.cgi?id=390887 | x_refsource_MISC | |
| https://bugzilla.redhat.com/show_bug.cgi?id=754980 | x_refsource_MISC | |
| http://secunia.com/advisories/52311 | third-party-advisory, x_refsource_SECUNIA | |
| http://hg.dovecot.org/dovecot-2.0/rev/5e9eaf63a6b1 | x_refsource_CONFIRM | |
| http://www.dovecot.org/list/dovecot-news/2011-November/000200.html | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2011/11/18/7 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2011/11/18/5 | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:01:51.650Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "46886",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/46886"
},
{
"name": "RHSA-2013:0520",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0520.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=390887"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=754980"
},
{
"name": "52311",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/52311"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://hg.dovecot.org/dovecot-2.0/rev/5e9eaf63a6b1"
},
{
"name": "[dovecot-news] 20111117 v2.0.16 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot-news/2011-November/000200.html"
},
{
"name": "[oss-security] 20111118 Re: CVE Request -- Dovecot -- Validate certificate\u0027s CN against requested remote server hostname when proxying",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/11/18/7"
},
{
"name": "[oss-security] 20111118 Re: CVE Request -- Dovecot -- Validate certificate\u0027s CN against requested remote server hostname when proxying",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/11/18/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-03-07T01:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "46886",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/46886"
},
{
"name": "RHSA-2013:0520",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0520.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=390887"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=754980"
},
{
"name": "52311",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/52311"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://hg.dovecot.org/dovecot-2.0/rev/5e9eaf63a6b1"
},
{
"name": "[dovecot-news] 20111117 v2.0.16 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot-news/2011-November/000200.html"
},
{
"name": "[oss-security] 20111118 Re: CVE Request -- Dovecot -- Validate certificate\u0027s CN against requested remote server hostname when proxying",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/11/18/7"
},
{
"name": "[oss-security] 20111118 Re: CVE Request -- Dovecot -- Validate certificate\u0027s CN against requested remote server hostname when proxying",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/11/18/5"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-4318",
"datePublished": "2013-03-07T01:00:00Z",
"dateReserved": "2011-11-04T00:00:00Z",
"dateUpdated": "2024-08-07T00:01:51.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-30550
Vulnerability from cvelistv5
Published
2022-07-17 00:00
Modified
2024-10-15 18:35
Severity ?
EPSS score ?
Summary
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:48:36.356Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.dovecot.org/download/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2022/07/08/1"
},
{
"name": "[debian-lts-announce] 20220927 [SECURITY] [DLA 3122-1] dovecot security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html"
},
{
"name": "GLSA-202310-19",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202310-19"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-30550",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:16:02.736424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T18:35:00.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-30T11:06:19.441543",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://dovecot.org/security"
},
{
"url": "https://www.dovecot.org/download/"
},
{
"url": "https://www.openwall.com/lists/oss-security/2022/07/08/1"
},
{
"name": "[debian-lts-announce] 20220927 [SECURITY] [DLA 3122-1] dovecot security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html"
},
{
"name": "GLSA-202310-19",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202310-19"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-30550",
"datePublished": "2022-07-17T00:00:00",
"dateReserved": "2022-05-11T00:00:00",
"dateUpdated": "2024-10-15T18:35:00.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-2669
Vulnerability from cvelistv5
Published
2018-06-21 13:00
Modified
2024-08-05 14:02
Severity ?
EPSS score ?
Summary
Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang.
References
| ▼ | URL | Tags |
|---|---|---|
| https://dovecot.org/pipermail/dovecot-news/2017-April/000341.html | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2017/04/11/1 | mailing-list, x_refsource_MLIST | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669 | x_refsource_CONFIRM | |
| https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch | x_refsource_CONFIRM | |
| https://www.debian.org/security/2017/dsa-3828 | vendor-advisory, x_refsource_DEBIAN | |
| http://www.securityfocus.com/bid/97536 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:02:06.877Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dovecot-news] 20170410 v2.2.29 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2017-April/000341.html"
},
{
"name": "[oss-security] 20170411 CVE-2017-2669: Dovecot DoS when passdb dict was used for authentication",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2017/04/11/1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch"
},
{
"name": "DSA-3828",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2017/dsa-3828"
},
{
"name": "97536",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97536"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "dovecot",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "dovecot 2.2.29"
}
]
}
],
"datePublic": "2017-04-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Dovecot before version 2.2.29 is vulnerable to a denial of service. When \u0027dict\u0027 passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-22T09:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[dovecot-news] 20170410 v2.2.29 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2017-April/000341.html"
},
{
"name": "[oss-security] 20170411 CVE-2017-2669: Dovecot DoS when passdb dict was used for authentication",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2017/04/11/1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch"
},
{
"name": "DSA-3828",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2017/dsa-3828"
},
{
"name": "97536",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97536"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2017-2669",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "dovecot",
"version": {
"version_data": [
{
"version_value": "dovecot 2.2.29"
}
]
}
}
]
},
"vendor_name": "[UNKNOWN]"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Dovecot before version 2.2.29 is vulnerable to a denial of service. When \u0027dict\u0027 passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "3.7/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dovecot-news] 20170410 v2.2.29 released",
"refsource": "MLIST",
"url": "https://dovecot.org/pipermail/dovecot-news/2017-April/000341.html"
},
{
"name": "[oss-security] 20170411 CVE-2017-2669: Dovecot DoS when passdb dict was used for authentication",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2017/04/11/1"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669"
},
{
"name": "https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch",
"refsource": "CONFIRM",
"url": "https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch"
},
{
"name": "DSA-3828",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2017/dsa-3828"
},
{
"name": "97536",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97536"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2017-2669",
"datePublished": "2018-06-21T13:00:00",
"dateReserved": "2016-12-01T00:00:00",
"dateUpdated": "2024-08-05T14:02:06.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-2166
Vulnerability from cvelistv5
Published
2011-05-24 23:00
Modified
2024-08-06 22:53
Severity ?
EPSS score ?
Summary
script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.dovecot.org/doc/NEWS-2.0 | x_refsource_CONFIRM | |
| http://dovecot.org/pipermail/dovecot/2011-May/059085.html | mailing-list, x_refsource_MLIST | |
| http://rhn.redhat.com/errata/RHSA-2013-0520.html | vendor-advisory, x_refsource_REDHAT | |
| http://secunia.com/advisories/52311 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/48003 | vdb-entry, x_refsource_BID | |
| http://openwall.com/lists/oss-security/2011/05/18/4 | mailing-list, x_refsource_MLIST | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/67675 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T22:53:17.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.dovecot.org/doc/NEWS-2.0"
},
{
"name": "[dovecot] 20110511 v2.0.13 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://dovecot.org/pipermail/dovecot/2011-May/059085.html"
},
{
"name": "RHSA-2013:0520",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0520.html"
},
{
"name": "52311",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/52311"
},
{
"name": "48003",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/48003"
},
{
"name": "[oss-security] 20110518 Dovecot releases",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/05/18/4"
},
{
"name": "dovecot-scriptlogin-sec-bypass(67675)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67675"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-05-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.dovecot.org/doc/NEWS-2.0"
},
{
"name": "[dovecot] 20110511 v2.0.13 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://dovecot.org/pipermail/dovecot/2011-May/059085.html"
},
{
"name": "RHSA-2013:0520",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0520.html"
},
{
"name": "52311",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/52311"
},
{
"name": "48003",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/48003"
},
{
"name": "[oss-security] 20110518 Dovecot releases",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/05/18/4"
},
{
"name": "dovecot-scriptlogin-sec-bypass(67675)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67675"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-2166",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.dovecot.org/doc/NEWS-2.0",
"refsource": "CONFIRM",
"url": "http://www.dovecot.org/doc/NEWS-2.0"
},
{
"name": "[dovecot] 20110511 v2.0.13 released",
"refsource": "MLIST",
"url": "http://dovecot.org/pipermail/dovecot/2011-May/059085.html"
},
{
"name": "RHSA-2013:0520",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0520.html"
},
{
"name": "52311",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/52311"
},
{
"name": "48003",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/48003"
},
{
"name": "[oss-security] 20110518 Dovecot releases",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/05/18/4"
},
{
"name": "dovecot-scriptlogin-sec-bypass(67675)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67675"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-2166",
"datePublished": "2011-05-24T23:00:00",
"dateReserved": "2011-05-24T00:00:00",
"dateUpdated": "2024-08-06T22:53:17.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-3707
Vulnerability from cvelistv5
Published
2010-10-06 16:00
Modified
2024-08-07 03:18
Severity ?
EPSS score ?
Summary
plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving more specific entries that occur after less specific entries, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:18:52.913Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20101004 Re: CVE Request: more dovecot ACL issues",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=oss-security\u0026m=128622064325688\u0026w=2"
},
{
"name": "USN-1059-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"name": "SUSE-SR:2010:020",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"
},
{
"name": "ADV-2010-2572",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/2572"
},
{
"name": "[oss-security] 20101004 CVE Request: more dovecot ACL issues",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=oss-security\u0026m=128620520732377\u0026w=2"
},
{
"name": "MDVSA-2010:217",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"name": "43220",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/43220"
},
{
"name": "ADV-2011-0301",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2011/0301"
},
{
"name": "[dovecot] 20101002 v1.2.15 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"
},
{
"name": "[dovecot] 20101002 ACL handling bugs in v1.2.8+ and v2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053452.html"
},
{
"name": "RHSA-2011:0600",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2011-0600.html"
},
{
"name": "ADV-2010-2840",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/2840"
},
{
"name": "[dovecot] 20101002 v2.0.5 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053451.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-10-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving more specific entries that occur after less specific entries, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-11-19T10:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20101004 Re: CVE Request: more dovecot ACL issues",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=oss-security\u0026m=128622064325688\u0026w=2"
},
{
"name": "USN-1059-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"name": "SUSE-SR:2010:020",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"
},
{
"name": "ADV-2010-2572",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/2572"
},
{
"name": "[oss-security] 20101004 CVE Request: more dovecot ACL issues",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=oss-security\u0026m=128620520732377\u0026w=2"
},
{
"name": "MDVSA-2010:217",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"name": "43220",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/43220"
},
{
"name": "ADV-2011-0301",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2011/0301"
},
{
"name": "[dovecot] 20101002 v1.2.15 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"
},
{
"name": "[dovecot] 20101002 ACL handling bugs in v1.2.8+ and v2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053452.html"
},
{
"name": "RHSA-2011:0600",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2011-0600.html"
},
{
"name": "ADV-2010-2840",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/2840"
},
{
"name": "[dovecot] 20101002 v2.0.5 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053451.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-3707",
"datePublished": "2010-10-06T16:00:00",
"dateReserved": "2010-10-01T00:00:00",
"dateUpdated": "2024-08-07T03:18:52.913Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-6171
Vulnerability from cvelistv5
Published
2013-12-09 11:00
Modified
2024-08-06 17:29
Severity ?
EPSS score ?
Summary
checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server.
References
| ▼ | URL | Tags |
|---|---|---|
| http://cpanel.net/tsr-2013-0010-full-disclosure/ | x_refsource_MISC | |
| http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security | x_refsource_CONFIRM | |
| https://usn.ubuntu.com/3556-2/ | vendor-advisory, x_refsource_UBUNTU | |
| http://secunia.com/advisories/54808 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.dovecot.org/list/dovecot-news/2013-November/000264.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:29:42.974Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://cpanel.net/tsr-2013-0010-full-disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security"
},
{
"name": "USN-3556-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3556-2/"
},
{
"name": "54808",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/54808"
},
{
"name": "[Dovecot-news] 20131103 v2.2.7 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot-news/2013-November/000264.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-11-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-15T09:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://cpanel.net/tsr-2013-0010-full-disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security"
},
{
"name": "USN-3556-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3556-2/"
},
{
"name": "54808",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/54808"
},
{
"name": "[Dovecot-news] 20131103 v2.2.7 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot-news/2013-November/000264.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-6171",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://cpanel.net/tsr-2013-0010-full-disclosure/",
"refsource": "MISC",
"url": "http://cpanel.net/tsr-2013-0010-full-disclosure/"
},
{
"name": "http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security",
"refsource": "CONFIRM",
"url": "http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security"
},
{
"name": "USN-3556-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3556-2/"
},
{
"name": "54808",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/54808"
},
{
"name": "[Dovecot-news] 20131103 v2.2.7 released",
"refsource": "MLIST",
"url": "http://www.dovecot.org/list/dovecot-news/2013-November/000264.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-6171",
"datePublished": "2013-12-09T11:00:00",
"dateReserved": "2013-10-18T00:00:00",
"dateUpdated": "2024-08-06T17:29:42.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-4577
Vulnerability from cvelistv5
Published
2008-10-15 20:00
Modified
2024-08-07 10:24
Severity ?
EPSS score ?
Summary
The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:24:20.877Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "32164",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32164"
},
{
"name": "32471",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32471"
},
{
"name": "33149",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/33149"
},
{
"name": "ADV-2008-2745",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/2745"
},
{
"name": "FEDORA-2008-9202",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html"
},
{
"name": "oval:org.mitre.oval:def:10376",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL",
"x_transferred"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376"
},
{
"name": "31587",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/31587"
},
{
"name": "FEDORA-2008-9232",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html"
},
{
"name": "MDVSA-2008:232",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232"
},
{
"name": "USN-838-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-838-1"
},
{
"name": "SUSE-SR:2009:004",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"name": "GLSA-200812-16",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=240409"
},
{
"name": "RHSA-2009:0205",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
},
{
"name": "33624",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/33624"
},
{
"name": "[Dovecot-news] 20081005 v1.1.4 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html"
},
{
"name": "36904",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36904"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-10-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "32164",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32164"
},
{
"name": "32471",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32471"
},
{
"name": "33149",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/33149"
},
{
"name": "ADV-2008-2745",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/2745"
},
{
"name": "FEDORA-2008-9202",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html"
},
{
"name": "oval:org.mitre.oval:def:10376",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376"
},
{
"name": "31587",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/31587"
},
{
"name": "FEDORA-2008-9232",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html"
},
{
"name": "MDVSA-2008:232",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232"
},
{
"name": "USN-838-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-838-1"
},
{
"name": "SUSE-SR:2009:004",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"name": "GLSA-200812-16",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=240409"
},
{
"name": "RHSA-2009:0205",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
},
{
"name": "33624",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/33624"
},
{
"name": "[Dovecot-news] 20081005 v1.1.4 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html"
},
{
"name": "36904",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36904"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2008-4577",
"datePublished": "2008-10-15T20:00:00",
"dateReserved": "2008-10-15T00:00:00",
"dateUpdated": "2024-08-07T10:24:20.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-12100
Vulnerability from cvelistv5
Published
2020-08-12 15:07
Modified
2024-08-04 11:48
Severity ?
EPSS score ?
Summary
In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:57.941Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dovecot.org/security"
},
{
"name": "[oss-security] 20200812 CVE-2020-12100: Dovecot IMAP server: Receiving mail with deeply nested MIME parts leads to resource exhaustion",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/08/12/1"
},
{
"name": "DSA-4745",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4745"
},
{
"name": "[debian-lts-announce] 20200815 [SECURITY] [DLA 2328-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html"
},
{
"name": "USN-4456-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4456-1/"
},
{
"name": "USN-4456-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4456-2/"
},
{
"name": "FEDORA-2020-cd8b8f887b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"name": "GLSA-202009-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202009-02"
},
{
"name": "FEDORA-2020-b8ebc4201e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"name": "FEDORA-2020-d737c57172",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
},
{
"name": "[oss-security] 20210104 CVE-2020-25275: Dovecot: MIME parsing crash",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/3"
},
{
"name": "20210106 CVE-2020-24386: IMAP hibernation allows accessing other peoples mail",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Jan/18"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-06T22:06:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dovecot.org/security"
},
{
"name": "[oss-security] 20200812 CVE-2020-12100: Dovecot IMAP server: Receiving mail with deeply nested MIME parts leads to resource exhaustion",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2020/08/12/1"
},
{
"name": "DSA-4745",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4745"
},
{
"name": "[debian-lts-announce] 20200815 [SECURITY] [DLA 2328-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html"
},
{
"name": "USN-4456-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4456-1/"
},
{
"name": "USN-4456-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4456-2/"
},
{
"name": "FEDORA-2020-cd8b8f887b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"name": "GLSA-202009-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202009-02"
},
{
"name": "FEDORA-2020-b8ebc4201e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"name": "FEDORA-2020-d737c57172",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
},
{
"name": "[oss-security] 20210104 CVE-2020-25275: Dovecot: MIME parsing crash",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/3"
},
{
"name": "20210106 CVE-2020-24386: IMAP hibernation allows accessing other peoples mail",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Jan/18"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12100",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dovecot.org/security",
"refsource": "MISC",
"url": "https://dovecot.org/security"
},
{
"name": "[oss-security] 20200812 CVE-2020-12100: Dovecot IMAP server: Receiving mail with deeply nested MIME parts leads to resource exhaustion",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2020/08/12/1"
},
{
"name": "DSA-4745",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4745"
},
{
"name": "[debian-lts-announce] 20200815 [SECURITY] [DLA 2328-1] dovecot security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html"
},
{
"name": "USN-4456-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4456-1/"
},
{
"name": "USN-4456-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4456-2/"
},
{
"name": "FEDORA-2020-cd8b8f887b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"name": "GLSA-202009-02",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202009-02"
},
{
"name": "FEDORA-2020-b8ebc4201e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"name": "FEDORA-2020-d737c57172",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
},
{
"name": "[oss-security] 20210104 CVE-2020-25275: Dovecot: MIME parsing crash",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/3"
},
{
"name": "20210106 CVE-2020-24386: IMAP hibernation allows accessing other peoples mail",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2021/Jan/18"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12100",
"datePublished": "2020-08-12T15:07:52",
"dateReserved": "2020-04-23T00:00:00",
"dateUpdated": "2024-08-04T11:48:57.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-7524
Vulnerability from cvelistv5
Published
2019-03-28 13:45
Modified
2024-08-04 20:54
Severity ?
EPSS score ?
Summary
In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:54:27.055Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dovecot.org/security.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dovecot.org/list/dovecot-news/2019-March/000403.html"
},
{
"name": "[oss-security] 20190328 CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/28/1"
},
{
"name": "20190328 [SECURITY] [DSA 4418-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/Mar/59"
},
{
"name": "DSA-4418",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2019/dsa-4418"
},
{
"name": "[debian-lts-announce] 20190329 [SECURITY] [DLA 1736-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00038.html"
},
{
"name": "USN-3928-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3928-1/"
},
{
"name": "107672",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107672"
},
{
"name": "openSUSE-SU-2019:1212",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00060.html"
},
{
"name": "openSUSE-SU-2019:1220",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html"
},
{
"name": "GLSA-201904-19",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201904-19"
},
{
"name": "FEDORA-2019-9e004decea",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"name": "FEDORA-2019-1b61a528dd",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/AV:L/A:H/C:H/I:H/PR:L/S:C/UI:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-12T07:06:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dovecot.org/security.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dovecot.org/list/dovecot-news/2019-March/000403.html"
},
{
"name": "[oss-security] 20190328 CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/28/1"
},
{
"name": "20190328 [SECURITY] [DSA 4418-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2019/Mar/59"
},
{
"name": "DSA-4418",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2019/dsa-4418"
},
{
"name": "[debian-lts-announce] 20190329 [SECURITY] [DLA 1736-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00038.html"
},
{
"name": "USN-3928-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3928-1/"
},
{
"name": "107672",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107672"
},
{
"name": "openSUSE-SU-2019:1212",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00060.html"
},
{
"name": "openSUSE-SU-2019:1220",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html"
},
{
"name": "GLSA-201904-19",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201904-19"
},
{
"name": "FEDORA-2019-9e004decea",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"name": "FEDORA-2019-1b61a528dd",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-7524",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/AV:L/A:H/C:H/I:H/PR:L/S:C/UI:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dovecot.org/security.html",
"refsource": "MISC",
"url": "https://dovecot.org/security.html"
},
{
"name": "https://dovecot.org/list/dovecot-news/2019-March/000403.html",
"refsource": "MISC",
"url": "https://dovecot.org/list/dovecot-news/2019-March/000403.html"
},
{
"name": "[oss-security] 20190328 CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/03/28/1"
},
{
"name": "20190328 [SECURITY] [DSA 4418-1] dovecot security update",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/Mar/59"
},
{
"name": "DSA-4418",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2019/dsa-4418"
},
{
"name": "[debian-lts-announce] 20190329 [SECURITY] [DLA 1736-1] dovecot security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00038.html"
},
{
"name": "USN-3928-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3928-1/"
},
{
"name": "107672",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107672"
},
{
"name": "openSUSE-SU-2019:1212",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00060.html"
},
{
"name": "openSUSE-SU-2019:1220",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html"
},
{
"name": "GLSA-201904-19",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201904-19"
},
{
"name": "FEDORA-2019-9e004decea",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"name": "FEDORA-2019-1b61a528dd",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-7524",
"datePublished": "2019-03-28T13:45:20",
"dateReserved": "2019-02-06T00:00:00",
"dateUpdated": "2024-08-04T20:54:27.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-12673
Vulnerability from cvelistv5
Published
2020-08-12 15:18
Modified
2024-08-04 12:04
Severity ?
EPSS score ?
Summary
In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.551Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2020/08/12/2"
},
{
"name": "DSA-4745",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4745"
},
{
"name": "[debian-lts-announce] 20200815 [SECURITY] [DLA 2328-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html"
},
{
"name": "USN-4456-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4456-1/"
},
{
"name": "USN-4456-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4456-2/"
},
{
"name": "openSUSE-SU-2020:1241",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html"
},
{
"name": "openSUSE-SU-2020:1262",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html"
},
{
"name": "FEDORA-2020-cd8b8f887b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"name": "GLSA-202009-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202009-02"
},
{
"name": "FEDORA-2020-b8ebc4201e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"name": "FEDORA-2020-d737c57172",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-13T21:06:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openwall.com/lists/oss-security/2020/08/12/2"
},
{
"name": "DSA-4745",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4745"
},
{
"name": "[debian-lts-announce] 20200815 [SECURITY] [DLA 2328-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html"
},
{
"name": "USN-4456-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4456-1/"
},
{
"name": "USN-4456-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4456-2/"
},
{
"name": "openSUSE-SU-2020:1241",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html"
},
{
"name": "openSUSE-SU-2020:1262",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html"
},
{
"name": "FEDORA-2020-cd8b8f887b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"name": "GLSA-202009-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202009-02"
},
{
"name": "FEDORA-2020-b8ebc4201e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"name": "FEDORA-2020-d737c57172",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12673",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dovecot.org/security",
"refsource": "MISC",
"url": "https://dovecot.org/security"
},
{
"name": "https://www.openwall.com/lists/oss-security/2020/08/12/2",
"refsource": "CONFIRM",
"url": "https://www.openwall.com/lists/oss-security/2020/08/12/2"
},
{
"name": "DSA-4745",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4745"
},
{
"name": "[debian-lts-announce] 20200815 [SECURITY] [DLA 2328-1] dovecot security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html"
},
{
"name": "USN-4456-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4456-1/"
},
{
"name": "USN-4456-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4456-2/"
},
{
"name": "openSUSE-SU-2020:1241",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html"
},
{
"name": "openSUSE-SU-2020:1262",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html"
},
{
"name": "FEDORA-2020-cd8b8f887b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"name": "GLSA-202009-02",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202009-02"
},
{
"name": "FEDORA-2020-b8ebc4201e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"name": "FEDORA-2020-d737c57172",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12673",
"datePublished": "2020-08-12T15:18:13",
"dateReserved": "2020-05-06T00:00:00",
"dateUpdated": "2024-08-04T12:04:22.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-14461
Vulnerability from cvelistv5
Published
2018-03-02 15:00
Modified
2024-09-16 23:00
Severity ?
EPSS score ?
Summary
A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server.
References
| ▼ | URL | Tags |
|---|---|---|
| https://usn.ubuntu.com/3587-1/ | vendor-advisory, x_refsource_UBUNTU | |
| https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html | mailing-list, x_refsource_MLIST | |
| https://www.debian.org/security/2018/dsa-4130 | vendor-advisory, x_refsource_DEBIAN | |
| https://usn.ubuntu.com/3587-2/ | vendor-advisory, x_refsource_UBUNTU | |
| http://www.securityfocus.com/bid/103201 | vdb-entry, x_refsource_BID | |
| https://www.dovecot.org/list/dovecot-news/2018-February/000370.html | mailing-list, x_refsource_MLIST | |
| https://talosintelligence.com/vulnerability_reports/TALOS-2017-0510 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | The Dovecot Project | Dovecot |
Version: 2.2.33.2 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:27:40.633Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "USN-3587-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3587-1/"
},
{
"name": "[debian-lts-announce] 20180331 [SECURITY] [DLA 1333-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"name": "DSA-4130",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"name": "USN-3587-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3587-2/"
},
{
"name": "103201",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103201"
},
{
"name": "[dovecot-news] 20180228 v2.2.34 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2017-0510"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Dovecot",
"vendor": "The Dovecot Project",
"versions": [
{
"status": "affected",
"version": "2.2.33.2"
}
]
}
],
"datePublic": "2018-02-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T18:21:09",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"name": "USN-3587-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3587-1/"
},
{
"name": "[debian-lts-announce] 20180331 [SECURITY] [DLA 1333-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"name": "DSA-4130",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"name": "USN-3587-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3587-2/"
},
{
"name": "103201",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103201"
},
{
"name": "[dovecot-news] 20180228 v2.2.34 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2017-0510"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "talos-cna@cisco.com",
"DATE_PUBLIC": "2018-02-28T00:00:00",
"ID": "CVE-2017-14461",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Dovecot",
"version": {
"version_data": [
{
"version_value": "2.2.33.2"
}
]
}
}
]
},
"vendor_name": "The Dovecot Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server."
}
]
},
"impact": {
"cvss": {
"baseScore": 5.9,
"baseSeverity": "Medium",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-125: Out-of-bounds Read"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "USN-3587-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3587-1/"
},
{
"name": "[debian-lts-announce] 20180331 [SECURITY] [DLA 1333-1] dovecot security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"name": "DSA-4130",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"name": "USN-3587-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3587-2/"
},
{
"name": "103201",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103201"
},
{
"name": "[dovecot-news] 20180228 v2.2.34 released",
"refsource": "MLIST",
"url": "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html"
},
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2017-0510",
"refsource": "MISC",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2017-0510"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2017-14461",
"datePublished": "2018-03-02T15:00:00Z",
"dateReserved": "2017-09-13T00:00:00",
"dateUpdated": "2024-09-16T23:00:46.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2007-4211
Vulnerability from cvelistv5
Published
2007-08-08 01:52
Modified
2024-08-07 14:46
Severity ?
EPSS score ?
Summary
The ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COPY or (2) APPEND command.
References
| ▼ | URL | Tags |
|---|---|---|
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11558 | vdb-entry, signature, x_refsource_OVAL | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/35767 | vdb-entry, x_refsource_XF | |
| http://secunia.com/advisories/30342 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.redhat.com/support/errata/RHSA-2008-0297.html | vendor-advisory, x_refsource_REDHAT | |
| http://www.securityfocus.com/bid/25182 | vdb-entry, x_refsource_BID | |
| https://issues.rpath.com/browse/RPL-1621 | x_refsource_CONFIRM | |
| http://secunia.com/advisories/26320 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.dovecot.org/list/dovecot-news/2007-August/000048.html | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/26475 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T14:46:39.432Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "oval:org.mitre.oval:def:11558",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL",
"x_transferred"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11558"
},
{
"name": "dovecot-aclplugin-security-bypass(35767)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35767"
},
{
"name": "30342",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/30342"
},
{
"name": "RHSA-2008:0297",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"name": "25182",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/25182"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.rpath.com/browse/RPL-1621"
},
{
"name": "26320",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26320"
},
{
"name": "[dovecot-news] 20070801 v1.0.3 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot-news/2007-August/000048.html"
},
{
"name": "26475",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/26475"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-08-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COPY or (2) APPEND command."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "oval:org.mitre.oval:def:11558",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11558"
},
{
"name": "dovecot-aclplugin-security-bypass(35767)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35767"
},
{
"name": "30342",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/30342"
},
{
"name": "RHSA-2008:0297",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"name": "25182",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/25182"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.rpath.com/browse/RPL-1621"
},
{
"name": "26320",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26320"
},
{
"name": "[dovecot-news] 20070801 v1.0.3 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot-news/2007-August/000048.html"
},
{
"name": "26475",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/26475"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-4211",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COPY or (2) APPEND command."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "oval:org.mitre.oval:def:11558",
"refsource": "OVAL",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11558"
},
{
"name": "dovecot-aclplugin-security-bypass(35767)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35767"
},
{
"name": "30342",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/30342"
},
{
"name": "RHSA-2008:0297",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"name": "25182",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/25182"
},
{
"name": "https://issues.rpath.com/browse/RPL-1621",
"refsource": "CONFIRM",
"url": "https://issues.rpath.com/browse/RPL-1621"
},
{
"name": "26320",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26320"
},
{
"name": "[dovecot-news] 20070801 v1.0.3 released",
"refsource": "MLIST",
"url": "http://www.dovecot.org/list/dovecot-news/2007-August/000048.html"
},
{
"name": "26475",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/26475"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-4211",
"datePublished": "2007-08-08T01:52:00",
"dateReserved": "2007-08-07T00:00:00",
"dateUpdated": "2024-08-07T14:46:39.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-3780
Vulnerability from cvelistv5
Published
2010-10-06 20:00
Modified
2024-08-07 03:18
Severity ?
EPSS score ?
Summary
Dovecot 1.2.x before 1.2.15 allows remote authenticated users to cause a denial of service (master process outage) by simultaneously disconnecting many (1) IMAP or (2) POP3 sessions.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.ubuntu.com/usn/USN-1059-1 | vendor-advisory, x_refsource_UBUNTU | |
| http://www.mandriva.com/security/advisories?name=MDVSA-2010:217 | vendor-advisory, x_refsource_MANDRIVA | |
| http://secunia.com/advisories/43220 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.vupen.com/english/advisories/2011/0301 | vdb-entry, x_refsource_VUPEN | |
| http://www.dovecot.org/list/dovecot/2010-October/053450.html | mailing-list, x_refsource_MLIST | |
| http://www.redhat.com/support/errata/RHSA-2011-0600.html | vendor-advisory, x_refsource_REDHAT | |
| http://www.vupen.com/english/advisories/2010/2840 | vdb-entry, x_refsource_VUPEN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:18:53.196Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "USN-1059-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"name": "MDVSA-2010:217",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"name": "43220",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/43220"
},
{
"name": "ADV-2011-0301",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2011/0301"
},
{
"name": "[dovecot] 20101002 v1.2.15 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"
},
{
"name": "RHSA-2011:0600",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2011-0600.html"
},
{
"name": "ADV-2010-2840",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/2840"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-10-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Dovecot 1.2.x before 1.2.15 allows remote authenticated users to cause a denial of service (master process outage) by simultaneously disconnecting many (1) IMAP or (2) POP3 sessions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-11-19T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "USN-1059-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"name": "MDVSA-2010:217",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"name": "43220",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/43220"
},
{
"name": "ADV-2011-0301",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2011/0301"
},
{
"name": "[dovecot] 20101002 v1.2.15 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"
},
{
"name": "RHSA-2011:0600",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2011-0600.html"
},
{
"name": "ADV-2010-2840",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/2840"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-3780",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Dovecot 1.2.x before 1.2.15 allows remote authenticated users to cause a denial of service (master process outage) by simultaneously disconnecting many (1) IMAP or (2) POP3 sessions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "USN-1059-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"name": "MDVSA-2010:217",
"refsource": "MANDRIVA",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"name": "43220",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/43220"
},
{
"name": "ADV-2011-0301",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2011/0301"
},
{
"name": "[dovecot] 20101002 v1.2.15 released",
"refsource": "MLIST",
"url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"
},
{
"name": "RHSA-2011:0600",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0600.html"
},
{
"name": "ADV-2010-2840",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2010/2840"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-3780",
"datePublished": "2010-10-06T20:00:00",
"dateReserved": "2010-10-06T00:00:00",
"dateUpdated": "2024-08-07T03:18:53.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-19722
Vulnerability from cvelistv5
Published
2019-12-13 16:34
Modified
2024-08-05 02:25
Severity ?
EPSS score ?
Summary
In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.
References
| ▼ | URL | Tags |
|---|---|---|
| https://dovecot.org/list/dovecot-news/2019-December/000428.html | x_refsource_CONFIRM | |
| https://dovecot.org/security.html | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2019/12/13/3 | x_refsource_CONFIRM | |
| https://dovecot.org/pipermail/dovecot-news/2019-December/000428.html | x_refsource_CONFIRM | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OZCJ3RBA4WIYGN7SOV4TW2AIHXPZATK/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PPB7PG5BM3MC5ZF2KHQ3UR7CZIO42BB/ | vendor-advisory, x_refsource_FEDORA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:25:12.619Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dovecot.org/list/dovecot-news/2019-December/000428.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dovecot.org/security.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/12/13/3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2019-December/000428.html"
},
{
"name": "FEDORA-2019-5898f4f935",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OZCJ3RBA4WIYGN7SOV4TW2AIHXPZATK/"
},
{
"name": "FEDORA-2019-72e5ac943a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PPB7PG5BM3MC5ZF2KHQ3UR7CZIO42BB/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-12T02:06:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dovecot.org/list/dovecot-news/2019-December/000428.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dovecot.org/security.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.openwall.com/lists/oss-security/2019/12/13/3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2019-December/000428.html"
},
{
"name": "FEDORA-2019-5898f4f935",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OZCJ3RBA4WIYGN7SOV4TW2AIHXPZATK/"
},
{
"name": "FEDORA-2019-72e5ac943a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PPB7PG5BM3MC5ZF2KHQ3UR7CZIO42BB/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-19722",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dovecot.org/list/dovecot-news/2019-December/000428.html",
"refsource": "CONFIRM",
"url": "https://dovecot.org/list/dovecot-news/2019-December/000428.html"
},
{
"name": "https://dovecot.org/security.html",
"refsource": "CONFIRM",
"url": "https://dovecot.org/security.html"
},
{
"name": "http://www.openwall.com/lists/oss-security/2019/12/13/3",
"refsource": "CONFIRM",
"url": "http://www.openwall.com/lists/oss-security/2019/12/13/3"
},
{
"name": "https://dovecot.org/pipermail/dovecot-news/2019-December/000428.html",
"refsource": "CONFIRM",
"url": "https://dovecot.org/pipermail/dovecot-news/2019-December/000428.html"
},
{
"name": "FEDORA-2019-5898f4f935",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OZCJ3RBA4WIYGN7SOV4TW2AIHXPZATK/"
},
{
"name": "FEDORA-2019-72e5ac943a",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PPB7PG5BM3MC5ZF2KHQ3UR7CZIO42BB/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-19722",
"datePublished": "2019-12-13T16:34:48",
"dateReserved": "2019-12-11T00:00:00",
"dateUpdated": "2024-08-05T02:25:12.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2007-6598
Vulnerability from cvelistv5
Published
2008-01-04 02:00
Modified
2024-08-07 16:11
Severity ?
EPSS score ?
Summary
Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T16:11:06.066Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "28434",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/28434"
},
{
"name": "30342",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/30342"
},
{
"name": "oval:org.mitre.oval:def:10458",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL",
"x_transferred"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10458"
},
{
"name": "20080103 Re: rPSA-2008-0001-1 dovecot",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/485787/100/0/threaded"
},
{
"name": "RHSA-2008:0297",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"name": "USN-567-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/usn-567-1"
},
{
"name": "27093",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/27093"
},
{
"name": "ADV-2008-0017",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/0017"
},
{
"name": "39876",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/39876"
},
{
"name": "SUSE-SR:2008:020",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
},
{
"name": "20080103 rPSA-2008-0001-1 dovecot",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/485779/100/0/threaded"
},
{
"name": "DSA-1457",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2008/dsa-1457"
},
{
"name": "[Dovecot-news] 20071221 Security hole #4: Specific LDAP + auth cache configuration may mix up user logins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://dovecot.org/list/dovecot-news/2007-December/000057.html"
},
{
"name": "32151",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32151"
},
{
"name": "28404",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/28404"
},
{
"name": "28271",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/28271"
},
{
"name": "[Dovecot-news] 20071229 v1.0.10 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://dovecot.org/list/dovecot-news/2007-December/000058.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.rpath.com/browse/RPL-2076"
},
{
"name": "28227",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/28227"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-12-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-15T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "28434",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/28434"
},
{
"name": "30342",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/30342"
},
{
"name": "oval:org.mitre.oval:def:10458",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10458"
},
{
"name": "20080103 Re: rPSA-2008-0001-1 dovecot",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/485787/100/0/threaded"
},
{
"name": "RHSA-2008:0297",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"name": "USN-567-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/usn-567-1"
},
{
"name": "27093",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/27093"
},
{
"name": "ADV-2008-0017",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/0017"
},
{
"name": "39876",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/39876"
},
{
"name": "SUSE-SR:2008:020",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
},
{
"name": "20080103 rPSA-2008-0001-1 dovecot",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/485779/100/0/threaded"
},
{
"name": "DSA-1457",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2008/dsa-1457"
},
{
"name": "[Dovecot-news] 20071221 Security hole #4: Specific LDAP + auth cache configuration may mix up user logins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://dovecot.org/list/dovecot-news/2007-December/000057.html"
},
{
"name": "32151",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32151"
},
{
"name": "28404",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/28404"
},
{
"name": "28271",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/28271"
},
{
"name": "[Dovecot-news] 20071229 v1.0.10 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://dovecot.org/list/dovecot-news/2007-December/000058.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.rpath.com/browse/RPL-2076"
},
{
"name": "28227",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/28227"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-6598",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "28434",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/28434"
},
{
"name": "30342",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/30342"
},
{
"name": "oval:org.mitre.oval:def:10458",
"refsource": "OVAL",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10458"
},
{
"name": "20080103 Re: rPSA-2008-0001-1 dovecot",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/485787/100/0/threaded"
},
{
"name": "RHSA-2008:0297",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"name": "USN-567-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/usn-567-1"
},
{
"name": "27093",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/27093"
},
{
"name": "ADV-2008-0017",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/0017"
},
{
"name": "39876",
"refsource": "OSVDB",
"url": "http://osvdb.org/39876"
},
{
"name": "SUSE-SR:2008:020",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
},
{
"name": "20080103 rPSA-2008-0001-1 dovecot",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/485779/100/0/threaded"
},
{
"name": "DSA-1457",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2008/dsa-1457"
},
{
"name": "[Dovecot-news] 20071221 Security hole #4: Specific LDAP + auth cache configuration may mix up user logins",
"refsource": "MLIST",
"url": "http://dovecot.org/list/dovecot-news/2007-December/000057.html"
},
{
"name": "32151",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32151"
},
{
"name": "28404",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/28404"
},
{
"name": "28271",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/28271"
},
{
"name": "[Dovecot-news] 20071229 v1.0.10 released",
"refsource": "MLIST",
"url": "http://dovecot.org/list/dovecot-news/2007-December/000058.html"
},
{
"name": "https://issues.rpath.com/browse/RPL-2076",
"refsource": "CONFIRM",
"url": "https://issues.rpath.com/browse/RPL-2076"
},
{
"name": "28227",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/28227"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-6598",
"datePublished": "2008-01-04T02:00:00",
"dateReserved": "2007-12-31T00:00:00",
"dateUpdated": "2024-08-07T16:11:06.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-28200
Vulnerability from cvelistv5
Published
2021-06-28 12:08
Modified
2024-08-04 16:33
Severity ?
EPSS score ?
Summary
The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.
References
| ▼ | URL | Tags |
|---|---|---|
| https://dovecot.org/security | x_refsource_MISC | |
| https://www.openwall.com/lists/oss-security/2021/06/28/3 | x_refsource_CONFIRM | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/ | vendor-advisory, x_refsource_FEDORA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:33:58.153Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2021/06/28/3"
},
{
"name": "FEDORA-2021-208340a217",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/"
},
{
"name": "FEDORA-2021-891c1ab1ac",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:L/C:N/I:N/PR:L/S:U/UI:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-05T02:06:26",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openwall.com/lists/oss-security/2021/06/28/3"
},
{
"name": "FEDORA-2021-208340a217",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/"
},
{
"name": "FEDORA-2021-891c1ab1ac",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-28200",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:L/C:N/I:N/PR:L/S:U/UI:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dovecot.org/security",
"refsource": "MISC",
"url": "https://dovecot.org/security"
},
{
"name": "https://www.openwall.com/lists/oss-security/2021/06/28/3",
"refsource": "CONFIRM",
"url": "https://www.openwall.com/lists/oss-security/2021/06/28/3"
},
{
"name": "FEDORA-2021-208340a217",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/"
},
{
"name": "FEDORA-2021-891c1ab1ac",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-28200",
"datePublished": "2021-06-28T12:08:46",
"dateReserved": "2020-11-04T00:00:00",
"dateUpdated": "2024-08-04T16:33:58.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29157
Vulnerability from cvelistv5
Published
2021-06-28 11:58
Modified
2024-08-03 22:02
Severity ?
EPSS score ?
Summary
Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.
References
| ▼ | URL | Tags |
|---|---|---|
| https://dovecot.org/security | x_refsource_MISC | |
| https://www.openwall.com/lists/oss-security/2021/06/28/1 | x_refsource_CONFIRM | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/ | vendor-advisory, x_refsource_FEDORA | |
| https://security.gentoo.org/glsa/202107-41 | vendor-advisory, x_refsource_GENTOO |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.122Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2021/06/28/1"
},
{
"name": "FEDORA-2021-208340a217",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/"
},
{
"name": "FEDORA-2021-891c1ab1ac",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/"
},
{
"name": "GLSA-202107-41",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202107-41"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:H/AV:L/A:N/C:H/I:H/PR:L/S:C/UI:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-18T05:06:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openwall.com/lists/oss-security/2021/06/28/1"
},
{
"name": "FEDORA-2021-208340a217",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/"
},
{
"name": "FEDORA-2021-891c1ab1ac",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/"
},
{
"name": "GLSA-202107-41",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202107-41"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29157",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:H/AV:L/A:N/C:H/I:H/PR:L/S:C/UI:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dovecot.org/security",
"refsource": "MISC",
"url": "https://dovecot.org/security"
},
{
"name": "https://www.openwall.com/lists/oss-security/2021/06/28/1",
"refsource": "CONFIRM",
"url": "https://www.openwall.com/lists/oss-security/2021/06/28/1"
},
{
"name": "FEDORA-2021-208340a217",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/"
},
{
"name": "FEDORA-2021-891c1ab1ac",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/"
},
{
"name": "GLSA-202107-41",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202107-41"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29157",
"datePublished": "2021-06-28T11:58:41",
"dateReserved": "2021-03-25T00:00:00",
"dateUpdated": "2024-08-03T22:02:51.122Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-15132
Vulnerability from cvelistv5
Published
2018-01-25 20:00
Modified
2024-09-17 00:36
Severity ?
EPSS score ?
Summary
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch | x_refsource_CONFIRM | |
| https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html | mailing-list, x_refsource_MLIST | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1532768 | x_refsource_CONFIRM | |
| https://www.debian.org/security/2018/dsa-4130 | vendor-advisory, x_refsource_DEBIAN | |
| https://usn.ubuntu.com/3556-1/ | vendor-advisory, x_refsource_UBUNTU | |
| https://usn.ubuntu.com/3556-2/ | vendor-advisory, x_refsource_UBUNTU | |
| https://www.dovecot.org/list/dovecot-news/2018-February/000370.html | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | The Dovecot Project | dovecot |
Version: 2.0 up to 2.2.33 and 2.3.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:50:16.152Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch"
},
{
"name": "[debian-lts-announce] 20180331 [SECURITY] [DLA 1333-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1532768"
},
{
"name": "DSA-4130",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"name": "USN-3556-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3556-1/"
},
{
"name": "USN-3556-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3556-2/"
},
{
"name": "[dovecot-news] 20180228 v2.2.34 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "dovecot",
"vendor": "The Dovecot Project",
"versions": [
{
"status": "affected",
"version": "2.0 up to 2.2.33 and 2.3.0"
}
]
}
],
"datePublic": "2018-01-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot\u0027s auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-01T09:57:02",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch"
},
{
"name": "[debian-lts-announce] 20180331 [SECURITY] [DLA 1333-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1532768"
},
{
"name": "DSA-4130",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"name": "USN-3556-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3556-1/"
},
{
"name": "USN-3556-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3556-2/"
},
{
"name": "[dovecot-news] 20180228 v2.2.34 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"DATE_PUBLIC": "2018-01-25T00:00:00",
"ID": "CVE-2017-15132",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "dovecot",
"version": {
"version_data": [
{
"version_value": "2.0 up to 2.2.33 and 2.3.0"
}
]
}
}
]
},
"vendor_name": "The Dovecot Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot\u0027s auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch",
"refsource": "CONFIRM",
"url": "https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch"
},
{
"name": "[debian-lts-announce] 20180331 [SECURITY] [DLA 1333-1] dovecot security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1532768",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1532768"
},
{
"name": "DSA-4130",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"name": "USN-3556-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3556-1/"
},
{
"name": "USN-3556-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3556-2/"
},
{
"name": "[dovecot-news] 20180228 v2.2.34 released",
"refsource": "MLIST",
"url": "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2017-15132",
"datePublished": "2018-01-25T20:00:00Z",
"dateReserved": "2017-10-08T00:00:00",
"dateUpdated": "2024-09-17T00:36:33.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-25275
Vulnerability from cvelistv5
Published
2021-01-04 16:19
Modified
2024-08-04 15:33
Severity ?
EPSS score ?
Summary
Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.
References
| ▼ | URL | Tags |
|---|---|---|
| https://dovecot.org/security | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2021/01/04/3 | x_refsource_CONFIRM | |
| https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html | x_refsource_CONFIRM | |
| https://www.debian.org/security/2021/dsa-4825 | vendor-advisory, x_refsource_DEBIAN | |
| http://seclists.org/fulldisclosure/2021/Jan/18 | mailing-list, x_refsource_FULLDISC | |
| http://packetstormsecurity.com/files/160841/Dovecot-2.3.11.3-Denial-Of-Service.html | x_refsource_MISC | |
| https://security.gentoo.org/glsa/202101-01 | vendor-advisory, x_refsource_GENTOO | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/ | vendor-advisory, x_refsource_FEDORA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:33:05.386Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html"
},
{
"name": "DSA-4825",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4825"
},
{
"name": "20210106 CVE-2020-24386: IMAP hibernation allows accessing other peoples mail",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2021/Jan/18"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/160841/Dovecot-2.3.11.3-Denial-Of-Service.html"
},
{
"name": "GLSA-202101-01",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202101-01"
},
{
"name": "FEDORA-2021-c90cb486f7",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-20T02:06:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html"
},
{
"name": "DSA-4825",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4825"
},
{
"name": "20210106 CVE-2020-24386: IMAP hibernation allows accessing other peoples mail",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2021/Jan/18"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/160841/Dovecot-2.3.11.3-Denial-Of-Service.html"
},
{
"name": "GLSA-202101-01",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202101-01"
},
{
"name": "FEDORA-2021-c90cb486f7",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-25275",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dovecot.org/security",
"refsource": "MISC",
"url": "https://dovecot.org/security"
},
{
"name": "http://www.openwall.com/lists/oss-security/2021/01/04/3",
"refsource": "CONFIRM",
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/3"
},
{
"name": "https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html",
"refsource": "CONFIRM",
"url": "https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html"
},
{
"name": "DSA-4825",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4825"
},
{
"name": "20210106 CVE-2020-24386: IMAP hibernation allows accessing other peoples mail",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2021/Jan/18"
},
{
"name": "http://packetstormsecurity.com/files/160841/Dovecot-2.3.11.3-Denial-Of-Service.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/160841/Dovecot-2.3.11.3-Denial-Of-Service.html"
},
{
"name": "GLSA-202101-01",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202101-01"
},
{
"name": "FEDORA-2021-c90cb486f7",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-25275",
"datePublished": "2021-01-04T16:19:08",
"dateReserved": "2020-09-11T00:00:00",
"dateUpdated": "2024-08-04T15:33:05.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11500
Vulnerability from cvelistv5
Published
2019-08-29 13:51
Modified
2024-08-04 22:55
Severity ?
EPSS score ?
Summary
In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:40.604Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.dovecot.org/security.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/08/28/3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2019-August/000417.html"
},
{
"name": "[debian-lts-announce] 20190829 [SECURITY] [DLA 1901-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00035.html"
},
{
"name": "FEDORA-2019-3844281be1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GYTZLLDNIFWT7D7JSB25ERJNMOR4CQ3/"
},
{
"name": "GLSA-201908-29",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201908-29"
},
{
"name": "FEDORA-2019-59d60bd1fa",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KVHY3MU2OK2EWZJFGNDSAOMD42L7DFPX/"
},
{
"name": "FEDORA-2019-ea638fb605",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSJVVVRAE3SITC2ZLGCPMFDN3WVYZBWF/"
},
{
"name": "RHSA-2019:2822",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2822"
},
{
"name": "RHSA-2019:2836",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2836"
},
{
"name": "RHSA-2019:2885",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2885"
},
{
"name": "openSUSE-SU-2019:2281",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html"
},
{
"name": "openSUSE-SU-2019:2278",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because \u0027\\0\u0027 characters are mishandled, and can lead to out-of-bounds writes and remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T20:06:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.dovecot.org/security.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.openwall.com/lists/oss-security/2019/08/28/3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2019-August/000417.html"
},
{
"name": "[debian-lts-announce] 20190829 [SECURITY] [DLA 1901-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00035.html"
},
{
"name": "FEDORA-2019-3844281be1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GYTZLLDNIFWT7D7JSB25ERJNMOR4CQ3/"
},
{
"name": "GLSA-201908-29",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201908-29"
},
{
"name": "FEDORA-2019-59d60bd1fa",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KVHY3MU2OK2EWZJFGNDSAOMD42L7DFPX/"
},
{
"name": "FEDORA-2019-ea638fb605",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSJVVVRAE3SITC2ZLGCPMFDN3WVYZBWF/"
},
{
"name": "RHSA-2019:2822",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2822"
},
{
"name": "RHSA-2019:2836",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2836"
},
{
"name": "RHSA-2019:2885",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2885"
},
{
"name": "openSUSE-SU-2019:2281",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html"
},
{
"name": "openSUSE-SU-2019:2278",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11500",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because \u0027\\0\u0027 characters are mishandled, and can lead to out-of-bounds writes and remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.dovecot.org/security.html",
"refsource": "MISC",
"url": "https://www.dovecot.org/security.html"
},
{
"name": "http://www.openwall.com/lists/oss-security/2019/08/28/3",
"refsource": "CONFIRM",
"url": "http://www.openwall.com/lists/oss-security/2019/08/28/3"
},
{
"name": "https://dovecot.org/pipermail/dovecot-news/2019-August/000417.html",
"refsource": "CONFIRM",
"url": "https://dovecot.org/pipermail/dovecot-news/2019-August/000417.html"
},
{
"name": "[debian-lts-announce] 20190829 [SECURITY] [DLA 1901-1] dovecot security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00035.html"
},
{
"name": "FEDORA-2019-3844281be1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3GYTZLLDNIFWT7D7JSB25ERJNMOR4CQ3/"
},
{
"name": "GLSA-201908-29",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201908-29"
},
{
"name": "FEDORA-2019-59d60bd1fa",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KVHY3MU2OK2EWZJFGNDSAOMD42L7DFPX/"
},
{
"name": "FEDORA-2019-ea638fb605",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YSJVVVRAE3SITC2ZLGCPMFDN3WVYZBWF/"
},
{
"name": "RHSA-2019:2822",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2822"
},
{
"name": "RHSA-2019:2836",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2836"
},
{
"name": "RHSA-2019:2885",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2885"
},
{
"name": "openSUSE-SU-2019:2281",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html"
},
{
"name": "openSUSE-SU-2019:2278",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11500",
"datePublished": "2019-08-29T13:51:46",
"dateReserved": "2019-04-24T00:00:00",
"dateUpdated": "2024-08-04T22:55:40.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-12674
Vulnerability from cvelistv5
Published
2020-08-12 15:20
Modified
2024-08-04 12:04
Severity ?
EPSS score ?
Summary
In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.541Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2020/08/12/3"
},
{
"name": "DSA-4745",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4745"
},
{
"name": "[debian-lts-announce] 20200815 [SECURITY] [DLA 2328-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html"
},
{
"name": "USN-4456-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4456-1/"
},
{
"name": "USN-4456-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4456-2/"
},
{
"name": "openSUSE-SU-2020:1241",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html"
},
{
"name": "openSUSE-SU-2020:1262",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html"
},
{
"name": "FEDORA-2020-cd8b8f887b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"name": "GLSA-202009-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202009-02"
},
{
"name": "FEDORA-2020-b8ebc4201e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"name": "FEDORA-2020-d737c57172",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-13T21:06:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openwall.com/lists/oss-security/2020/08/12/3"
},
{
"name": "DSA-4745",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4745"
},
{
"name": "[debian-lts-announce] 20200815 [SECURITY] [DLA 2328-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html"
},
{
"name": "USN-4456-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4456-1/"
},
{
"name": "USN-4456-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4456-2/"
},
{
"name": "openSUSE-SU-2020:1241",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html"
},
{
"name": "openSUSE-SU-2020:1262",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html"
},
{
"name": "FEDORA-2020-cd8b8f887b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"name": "GLSA-202009-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202009-02"
},
{
"name": "FEDORA-2020-b8ebc4201e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"name": "FEDORA-2020-d737c57172",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12674",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dovecot.org/security",
"refsource": "MISC",
"url": "https://dovecot.org/security"
},
{
"name": "https://www.openwall.com/lists/oss-security/2020/08/12/3",
"refsource": "CONFIRM",
"url": "https://www.openwall.com/lists/oss-security/2020/08/12/3"
},
{
"name": "DSA-4745",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4745"
},
{
"name": "[debian-lts-announce] 20200815 [SECURITY] [DLA 2328-1] dovecot security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html"
},
{
"name": "USN-4456-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4456-1/"
},
{
"name": "USN-4456-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4456-2/"
},
{
"name": "openSUSE-SU-2020:1241",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html"
},
{
"name": "openSUSE-SU-2020:1262",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html"
},
{
"name": "FEDORA-2020-cd8b8f887b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"name": "GLSA-202009-02",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202009-02"
},
{
"name": "FEDORA-2020-b8ebc4201e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"name": "FEDORA-2020-d737c57172",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12674",
"datePublished": "2020-08-12T15:20:29",
"dateReserved": "2020-05-06T00:00:00",
"dateUpdated": "2024-08-04T12:04:22.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-3430
Vulnerability from cvelistv5
Published
2014-05-14 19:00
Modified
2024-08-06 10:43
Severity ?
EPSS score ?
Summary
Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:43:06.101Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20140509 CVE request: Denial of Service attacks against Dovecot v1.1+",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2014/05/09/4"
},
{
"name": "59051",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59051"
},
{
"name": "[oss-security] 20140509 Re: CVE request: Denial of Service attacks against Dovecot v1.1+",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2014/05/09/8"
},
{
"name": "59537",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59537"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://advisories.mageia.org/MGASA-2014-0223.html"
},
{
"name": "[dovecot] 20140508 Denial of Service attacks against Dovecot v1.1+",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://permalink.gmane.org/gmane.mail.imap.dovecot/77499"
},
{
"name": "DSA-2954",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2954"
},
{
"name": "59552",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59552"
},
{
"name": "USN-2213-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-2213-1"
},
{
"name": "67306",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/67306"
},
{
"name": "MDVSA-2015:113",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:113"
},
{
"name": "RHSA-2014:0790",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0790.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://linux.oracle.com/errata/ELSA-2014-0790.html"
},
{
"name": "[Dovecot-news] 20140511 v2.2.13 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://dovecot.org/pipermail/dovecot-news/2014-May/000273.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-05-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-28T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20140509 CVE request: Denial of Service attacks against Dovecot v1.1+",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2014/05/09/4"
},
{
"name": "59051",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59051"
},
{
"name": "[oss-security] 20140509 Re: CVE request: Denial of Service attacks against Dovecot v1.1+",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2014/05/09/8"
},
{
"name": "59537",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59537"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://advisories.mageia.org/MGASA-2014-0223.html"
},
{
"name": "[dovecot] 20140508 Denial of Service attacks against Dovecot v1.1+",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://permalink.gmane.org/gmane.mail.imap.dovecot/77499"
},
{
"name": "DSA-2954",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2954"
},
{
"name": "59552",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59552"
},
{
"name": "USN-2213-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-2213-1"
},
{
"name": "67306",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/67306"
},
{
"name": "MDVSA-2015:113",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:113"
},
{
"name": "RHSA-2014:0790",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0790.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://linux.oracle.com/errata/ELSA-2014-0790.html"
},
{
"name": "[Dovecot-news] 20140511 v2.2.13 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://dovecot.org/pipermail/dovecot-news/2014-May/000273.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3430",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20140509 CVE request: Denial of Service attacks against Dovecot v1.1+",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2014/05/09/4"
},
{
"name": "59051",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/59051"
},
{
"name": "[oss-security] 20140509 Re: CVE request: Denial of Service attacks against Dovecot v1.1+",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2014/05/09/8"
},
{
"name": "59537",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/59537"
},
{
"name": "http://advisories.mageia.org/MGASA-2014-0223.html",
"refsource": "CONFIRM",
"url": "http://advisories.mageia.org/MGASA-2014-0223.html"
},
{
"name": "[dovecot] 20140508 Denial of Service attacks against Dovecot v1.1+",
"refsource": "MLIST",
"url": "http://permalink.gmane.org/gmane.mail.imap.dovecot/77499"
},
{
"name": "DSA-2954",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2954"
},
{
"name": "59552",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/59552"
},
{
"name": "USN-2213-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-2213-1"
},
{
"name": "67306",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/67306"
},
{
"name": "MDVSA-2015:113",
"refsource": "MANDRIVA",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:113"
},
{
"name": "RHSA-2014:0790",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0790.html"
},
{
"name": "http://linux.oracle.com/errata/ELSA-2014-0790.html",
"refsource": "CONFIRM",
"url": "http://linux.oracle.com/errata/ELSA-2014-0790.html"
},
{
"name": "[Dovecot-news] 20140511 v2.2.13 released",
"refsource": "MLIST",
"url": "http://dovecot.org/pipermail/dovecot-news/2014-May/000273.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-3430",
"datePublished": "2014-05-14T19:00:00",
"dateReserved": "2014-05-07T00:00:00",
"dateUpdated": "2024-08-06T10:43:06.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-1929
Vulnerability from cvelistv5
Published
2011-05-24 23:00
Modified
2024-08-06 22:46
Severity ?
EPSS score ?
Summary
lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle '\0' characters in header names, which allows remote attackers to cause a denial of service (daemon crash or mailbox corruption) via a crafted e-mail message.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T22:46:00.589Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2011-7612",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061384.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://hg.dovecot.org/dovecot-1.1/rev/3698dfe0f21c"
},
{
"name": "44771",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/44771"
},
{
"name": "[dovecot] 20110511 v1.2.17 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://dovecot.org/pipermail/dovecot/2011-May/059086.html"
},
{
"name": "DSA-2252",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2011/dsa-2252"
},
{
"name": "MDVSA-2011:101",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:101"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.dovecot.org/doc/NEWS-2.0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=706286"
},
{
"name": "[dovecot] 20110511 v2.0.13 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://dovecot.org/pipermail/dovecot/2011-May/059085.html"
},
{
"name": "RHSA-2011:1187",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2011-1187.html"
},
{
"name": "FEDORA-2011-7268",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060825.html"
},
{
"name": "72495",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/72495"
},
{
"name": "dovecot-header-name-dos(67589)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67589"
},
{
"name": "openSUSE-SU-2011:0540",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "https://hermes.opensuse.org/messages/8581790"
},
{
"name": "47930",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/47930"
},
{
"name": "[oss-security] 20110519 Re: Dovecot releases",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/6"
},
{
"name": "44756",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/44756"
},
{
"name": "44827",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/44827"
},
{
"name": "FEDORA-2011-7258",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060815.html"
},
{
"name": "44683",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/44683"
},
{
"name": "44712",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/44712"
},
{
"name": "USN-1143-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-1143-1"
},
{
"name": "[oss-security] 20110519 Re: Dovecot releases",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.dovecot.org/doc/NEWS-1.2"
},
{
"name": "[oss-security] 20110518 Dovecot releases",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/05/18/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-05-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle \u0027\\0\u0027 characters in header names, which allows remote attackers to cause a denial of service (daemon crash or mailbox corruption) via a crafted e-mail message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "FEDORA-2011-7612",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061384.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://hg.dovecot.org/dovecot-1.1/rev/3698dfe0f21c"
},
{
"name": "44771",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/44771"
},
{
"name": "[dovecot] 20110511 v1.2.17 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://dovecot.org/pipermail/dovecot/2011-May/059086.html"
},
{
"name": "DSA-2252",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2011/dsa-2252"
},
{
"name": "MDVSA-2011:101",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:101"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.dovecot.org/doc/NEWS-2.0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=706286"
},
{
"name": "[dovecot] 20110511 v2.0.13 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://dovecot.org/pipermail/dovecot/2011-May/059085.html"
},
{
"name": "RHSA-2011:1187",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2011-1187.html"
},
{
"name": "FEDORA-2011-7268",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060825.html"
},
{
"name": "72495",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/72495"
},
{
"name": "dovecot-header-name-dos(67589)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67589"
},
{
"name": "openSUSE-SU-2011:0540",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "https://hermes.opensuse.org/messages/8581790"
},
{
"name": "47930",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/47930"
},
{
"name": "[oss-security] 20110519 Re: Dovecot releases",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/6"
},
{
"name": "44756",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/44756"
},
{
"name": "44827",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/44827"
},
{
"name": "FEDORA-2011-7258",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060815.html"
},
{
"name": "44683",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/44683"
},
{
"name": "44712",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/44712"
},
{
"name": "USN-1143-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-1143-1"
},
{
"name": "[oss-security] 20110519 Re: Dovecot releases",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.dovecot.org/doc/NEWS-1.2"
},
{
"name": "[oss-security] 20110518 Dovecot releases",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/05/18/4"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-1929",
"datePublished": "2011-05-24T23:00:00",
"dateReserved": "2011-05-09T00:00:00",
"dateUpdated": "2024-08-06T22:46:00.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-7957
Vulnerability from cvelistv5
Published
2020-02-12 16:50
Modified
2024-08-04 09:48
Severity ?
EPSS score ?
Summary
The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a denial of service in which the recipient cannot read all of their messages.
References
| ▼ | URL | Tags |
|---|---|---|
| https://dovecot.org/security | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2020/02/12/2 | x_refsource_CONFIRM | |
| https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html | x_refsource_CONFIRM | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/ | vendor-advisory, x_refsource_FEDORA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:24.611Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/02/12/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html"
},
{
"name": "FEDORA-2020-10a58fda28",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/"
},
{
"name": "FEDORA-2020-0e6a67af5a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing \u003e character exists. This causes a denial of service in which the recipient cannot read all of their messages."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:H/AV:N/A:L/C:N/I:N/PR:N/S:U/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-20T06:06:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.openwall.com/lists/oss-security/2020/02/12/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html"
},
{
"name": "FEDORA-2020-10a58fda28",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/"
},
{
"name": "FEDORA-2020-0e6a67af5a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-7957",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing \u003e character exists. This causes a denial of service in which the recipient cannot read all of their messages."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:H/AV:N/A:L/C:N/I:N/PR:N/S:U/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dovecot.org/security",
"refsource": "MISC",
"url": "https://dovecot.org/security"
},
{
"name": "http://www.openwall.com/lists/oss-security/2020/02/12/2",
"refsource": "CONFIRM",
"url": "http://www.openwall.com/lists/oss-security/2020/02/12/2"
},
{
"name": "https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html",
"refsource": "CONFIRM",
"url": "https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html"
},
{
"name": "FEDORA-2020-10a58fda28",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/"
},
{
"name": "FEDORA-2020-0e6a67af5a",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-7957",
"datePublished": "2020-02-12T16:50:56",
"dateReserved": "2020-01-24T00:00:00",
"dateUpdated": "2024-08-04T09:48:24.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-15130
Vulnerability from cvelistv5
Published
2018-03-02 15:00
Modified
2024-09-16 20:17
Severity ?
EPSS score ?
Summary
A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart.
References
| ▼ | URL | Tags |
|---|---|---|
| https://usn.ubuntu.com/3587-1/ | vendor-advisory, x_refsource_UBUNTU | |
| http://seclists.org/oss-sec/2018/q1/205 | mailing-list, x_refsource_MLIST | |
| https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html | mailing-list, x_refsource_MLIST | |
| https://www.debian.org/security/2018/dsa-4130 | vendor-advisory, x_refsource_DEBIAN | |
| https://usn.ubuntu.com/3587-2/ | vendor-advisory, x_refsource_UBUNTU | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1532356 | x_refsource_CONFIRM | |
| https://www.dovecot.org/list/dovecot-news/2018-February/000370.html | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | The Dovecot Project | dovecot |
Version: before 2.2.34 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:50:16.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "USN-3587-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3587-1/"
},
{
"name": "[oss-security] 20180301 Dovecot Security Advisory: CVE-2017-15130 TLS SNI config lookups are inefficient and can be used for DoS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2018/q1/205"
},
{
"name": "[debian-lts-announce] 20180331 [SECURITY] [DLA 1333-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"name": "DSA-4130",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"name": "USN-3587-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3587-2/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1532356"
},
{
"name": "[dovecot-news] 20180228 v2.2.34 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "dovecot",
"vendor": "The Dovecot Project",
"versions": [
{
"status": "affected",
"version": "before 2.2.34"
}
]
}
],
"datePublic": "2018-02-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-03T09:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "USN-3587-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3587-1/"
},
{
"name": "[oss-security] 20180301 Dovecot Security Advisory: CVE-2017-15130 TLS SNI config lookups are inefficient and can be used for DoS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2018/q1/205"
},
{
"name": "[debian-lts-announce] 20180331 [SECURITY] [DLA 1333-1] dovecot security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"name": "DSA-4130",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"name": "USN-3587-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3587-2/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1532356"
},
{
"name": "[dovecot-news] 20180228 v2.2.34 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"DATE_PUBLIC": "2018-02-28T00:00:00",
"ID": "CVE-2017-15130",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "dovecot",
"version": {
"version_data": [
{
"version_value": "before 2.2.34"
}
]
}
}
]
},
"vendor_name": "The Dovecot Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "USN-3587-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3587-1/"
},
{
"name": "[oss-security] 20180301 Dovecot Security Advisory: CVE-2017-15130 TLS SNI config lookups are inefficient and can be used for DoS",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2018/q1/205"
},
{
"name": "[debian-lts-announce] 20180331 [SECURITY] [DLA 1333-1] dovecot security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"name": "DSA-4130",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"name": "USN-3587-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3587-2/"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1532356",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1532356"
},
{
"name": "[dovecot-news] 20180228 v2.2.34 released",
"refsource": "MLIST",
"url": "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2017-15130",
"datePublished": "2018-03-02T15:00:00Z",
"dateReserved": "2017-10-08T00:00:00",
"dateUpdated": "2024-09-16T20:17:43.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-3304
Vulnerability from cvelistv5
Published
2010-09-24 18:00
Modified
2024-08-07 03:03
Severity ?
EPSS score ?
Summary
The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to newly created mailboxes in certain configurations, which might allow remote attackers to read mailboxes that have unintended weak ACLs.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.dovecot.org/list/dovecot-news/2010-July/000163.html | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2010/09/16/17 | mailing-list, x_refsource_MLIST | |
| http://www.ubuntu.com/usn/USN-1059-1 | vendor-advisory, x_refsource_UBUNTU | |
| http://www.securityfocus.com/bid/41964 | vdb-entry, x_refsource_BID | |
| http://www.openwall.com/lists/oss-security/2010/09/16/14 | mailing-list, x_refsource_MLIST | |
| http://www.mandriva.com/security/advisories?name=MDVSA-2010:217 | vendor-advisory, x_refsource_MANDRIVA | |
| http://secunia.com/advisories/43220 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.vupen.com/english/advisories/2011/0301 | vdb-entry, x_refsource_VUPEN | |
| http://www.vupen.com/english/advisories/2010/2840 | vdb-entry, x_refsource_VUPEN | |
| http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html | vendor-advisory, x_refsource_SUSE |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:03:18.915Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dovecot-news] 20100724 v1.2.13 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot-news/2010-July/000163.html"
},
{
"name": "[oss-security] 20100916 Re: CVE-identifier request for Dovecot ACL security bug",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2010/09/16/17"
},
{
"name": "USN-1059-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"name": "41964",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/41964"
},
{
"name": "[oss-security] 20100916 CVE-identifier request for Dovecot ACL security bug",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2010/09/16/14"
},
{
"name": "MDVSA-2010:217",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"name": "43220",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/43220"
},
{
"name": "ADV-2011-0301",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2011/0301"
},
{
"name": "ADV-2010-2840",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/2840"
},
{
"name": "SUSE-SR:2010:017",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-07-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to newly created mailboxes in certain configurations, which might allow remote attackers to read mailboxes that have unintended weak ACLs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-09-30T09:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[dovecot-news] 20100724 v1.2.13 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot-news/2010-July/000163.html"
},
{
"name": "[oss-security] 20100916 Re: CVE-identifier request for Dovecot ACL security bug",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2010/09/16/17"
},
{
"name": "USN-1059-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"name": "41964",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/41964"
},
{
"name": "[oss-security] 20100916 CVE-identifier request for Dovecot ACL security bug",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2010/09/16/14"
},
{
"name": "MDVSA-2010:217",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"name": "43220",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/43220"
},
{
"name": "ADV-2011-0301",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2011/0301"
},
{
"name": "ADV-2010-2840",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/2840"
},
{
"name": "SUSE-SR:2010:017",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-3304",
"datePublished": "2010-09-24T18:00:00",
"dateReserved": "2010-09-13T00:00:00",
"dateUpdated": "2024-08-07T03:03:18.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-4870
Vulnerability from cvelistv5
Published
2008-10-31 22:00
Modified
2024-08-07 10:31
Severity ?
EPSS score ?
Summary
dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/32164 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.openwall.com/lists/oss-security/2008/10/29/10 | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/33149 | third-party-advisory, x_refsource_SECUNIA | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/46323 | vdb-entry, x_refsource_XF | |
| https://bugzilla.redhat.com/show_bug.cgi?id=436287 | x_refsource_CONFIRM | |
| http://security.gentoo.org/glsa/glsa-200812-16.xml | vendor-advisory, x_refsource_GENTOO | |
| http://www.redhat.com/support/errata/RHSA-2009-0205.html | vendor-advisory, x_refsource_REDHAT | |
| http://secunia.com/advisories/33624 | third-party-advisory, x_refsource_SECUNIA | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776 | vdb-entry, signature, x_refsource_OVAL |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:31:27.923Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "32164",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32164"
},
{
"name": "[oss-security] 20081029 CVE Request (dovecot)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2008/10/29/10"
},
{
"name": "33149",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/33149"
},
{
"name": "dovecot-dovecot-information-disclosure(46323)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46323"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=436287"
},
{
"name": "GLSA-200812-16",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"name": "RHSA-2009:0205",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
},
{
"name": "33624",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/33624"
},
{
"name": "oval:org.mitre.oval:def:10776",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL",
"x_transferred"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-10-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "32164",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32164"
},
{
"name": "[oss-security] 20081029 CVE Request (dovecot)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2008/10/29/10"
},
{
"name": "33149",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/33149"
},
{
"name": "dovecot-dovecot-information-disclosure(46323)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46323"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=436287"
},
{
"name": "GLSA-200812-16",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"name": "RHSA-2009:0205",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
},
{
"name": "33624",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/33624"
},
{
"name": "oval:org.mitre.oval:def:10776",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-4870",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "32164",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32164"
},
{
"name": "[oss-security] 20081029 CVE Request (dovecot)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2008/10/29/10"
},
{
"name": "33149",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/33149"
},
{
"name": "dovecot-dovecot-information-disclosure(46323)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46323"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=436287",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=436287"
},
{
"name": "GLSA-200812-16",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"name": "RHSA-2009:0205",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
},
{
"name": "33624",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/33624"
},
{
"name": "oval:org.mitre.oval:def:10776",
"refsource": "OVAL",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-4870",
"datePublished": "2008-10-31T22:00:00",
"dateReserved": "2008-10-31T00:00:00",
"dateUpdated": "2024-08-07T10:31:27.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2009-3235
Vulnerability from cvelistv5
Published
2009-09-17 10:00
Modified
2024-08-07 06:22
Severity ?
EPSS score ?
Summary
Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SIEVE script, as demonstrated by forwarding an e-mail message to a large number of recipients, a different vulnerability than CVE-2009-2632.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:22:23.176Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "36377",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/36377"
},
{
"name": "cmu-sieve-dovecot-unspecified-bo(53248)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53248"
},
{
"name": "36713",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36713"
},
{
"name": "SUSE-SR:2009:018",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html"
},
{
"name": "[Dovecot-news] 20090914 Security holes in CMU Sieve plugin",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://dovecot.org/list/dovecot-news/2009-September/000135.html"
},
{
"name": "USN-838-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-838-1"
},
{
"name": "58103",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/58103"
},
{
"name": "oval:org.mitre.oval:def:10515",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL",
"x_transferred"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10515"
},
{
"name": "ADV-2009-3184",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/3184"
},
{
"name": "SUSE-SR:2009:016",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html"
},
{
"name": "36904",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36904"
},
{
"name": "36698",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36698"
},
{
"name": "ADV-2009-2641",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/2641"
},
{
"name": "APPLE-SA-2009-11-09-1",
"tags": [
"vendor-advisory",
"x_refsource_APPLE",
"x_transferred"
],
"url": "http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html"
},
{
"name": "FEDORA-2009-9559",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00491.html"
},
{
"name": "[oss-security] 20090914 Re: CVE for recent cyrus-imap issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2009/09/14/3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://support.apple.com/kb/HT3937"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-09-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SIEVE script, as demonstrated by forwarding an e-mail message to a large number of recipients, a different vulnerability than CVE-2009-2632."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-18T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "36377",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/36377"
},
{
"name": "cmu-sieve-dovecot-unspecified-bo(53248)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53248"
},
{
"name": "36713",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36713"
},
{
"name": "SUSE-SR:2009:018",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html"
},
{
"name": "[Dovecot-news] 20090914 Security holes in CMU Sieve plugin",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://dovecot.org/list/dovecot-news/2009-September/000135.html"
},
{
"name": "USN-838-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-838-1"
},
{
"name": "58103",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/58103"
},
{
"name": "oval:org.mitre.oval:def:10515",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10515"
},
{
"name": "ADV-2009-3184",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/3184"
},
{
"name": "SUSE-SR:2009:016",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html"
},
{
"name": "36904",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36904"
},
{
"name": "36698",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36698"
},
{
"name": "ADV-2009-2641",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/2641"
},
{
"name": "APPLE-SA-2009-11-09-1",
"tags": [
"vendor-advisory",
"x_refsource_APPLE"
],
"url": "http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html"
},
{
"name": "FEDORA-2009-9559",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00491.html"
},
{
"name": "[oss-security] 20090914 Re: CVE for recent cyrus-imap issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2009/09/14/3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://support.apple.com/kb/HT3937"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-3235",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SIEVE script, as demonstrated by forwarding an e-mail message to a large number of recipients, a different vulnerability than CVE-2009-2632."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "36377",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/36377"
},
{
"name": "cmu-sieve-dovecot-unspecified-bo(53248)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53248"
},
{
"name": "36713",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36713"
},
{
"name": "SUSE-SR:2009:018",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html"
},
{
"name": "[Dovecot-news] 20090914 Security holes in CMU Sieve plugin",
"refsource": "MLIST",
"url": "http://dovecot.org/list/dovecot-news/2009-September/000135.html"
},
{
"name": "USN-838-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-838-1"
},
{
"name": "58103",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/58103"
},
{
"name": "oval:org.mitre.oval:def:10515",
"refsource": "OVAL",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10515"
},
{
"name": "ADV-2009-3184",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2009/3184"
},
{
"name": "SUSE-SR:2009:016",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html"
},
{
"name": "36904",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36904"
},
{
"name": "36698",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36698"
},
{
"name": "ADV-2009-2641",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2009/2641"
},
{
"name": "APPLE-SA-2009-11-09-1",
"refsource": "APPLE",
"url": "http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html"
},
{
"name": "FEDORA-2009-9559",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00491.html"
},
{
"name": "[oss-security] 20090914 Re: CVE for recent cyrus-imap issue",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2009/09/14/3"
},
{
"name": "http://support.apple.com/kb/HT3937",
"refsource": "CONFIRM",
"url": "http://support.apple.com/kb/HT3937"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-3235",
"datePublished": "2009-09-17T10:00:00",
"dateReserved": "2009-09-16T00:00:00",
"dateUpdated": "2024-08-07T06:22:23.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-10691
Vulnerability from cvelistv5
Published
2019-04-24 16:49
Modified
2024-08-04 22:32
Severity ?
EPSS score ?
Summary
The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2019/04/18/3 | mailing-list, x_refsource_MLIST | |
| https://dovecot.org/list/dovecot-news/2019-April/000406.html | mailing-list, x_refsource_MLIST | |
| http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00000.html | vendor-advisory, x_refsource_SUSE | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/ | vendor-advisory, x_refsource_FEDORA | |
| https://security.gentoo.org/glsa/201908-29 | vendor-advisory, x_refsource_GENTOO |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:32:01.932Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20190418 CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/18/3"
},
{
"name": "[dovecot-news] 20190418 CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://dovecot.org/list/dovecot-news/2019-April/000406.html"
},
{
"name": "openSUSE-SU-2019:1312",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00000.html"
},
{
"name": "FEDORA-2019-1b61a528dd",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"name": "GLSA-201908-29",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201908-29"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-04-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-31T22:06:06",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20190418 CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/18/3"
},
{
"name": "[dovecot-news] 20190418 CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://dovecot.org/list/dovecot-news/2019-April/000406.html"
},
{
"name": "openSUSE-SU-2019:1312",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00000.html"
},
{
"name": "FEDORA-2019-1b61a528dd",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"name": "GLSA-201908-29",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201908-29"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-10691",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20190418 CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters.",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/04/18/3"
},
{
"name": "[dovecot-news] 20190418 CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters.",
"refsource": "MLIST",
"url": "https://dovecot.org/list/dovecot-news/2019-April/000406.html"
},
{
"name": "openSUSE-SU-2019:1312",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00000.html"
},
{
"name": "FEDORA-2019-1b61a528dd",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"name": "GLSA-201908-29",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201908-29"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-10691",
"datePublished": "2019-04-24T16:49:37",
"dateReserved": "2019-04-02T00:00:00",
"dateUpdated": "2024-08-04T22:32:01.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2009-3897
Vulnerability from cvelistv5
Published
2009-11-24 17:00
Modified
2024-08-07 06:45
Severity ?
EPSS score ?
Summary
Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:45:50.108Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "37443",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/37443"
},
{
"name": "60316",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/60316"
},
{
"name": "[oss-security] 20091121 CVE Request - Dovecot - 1.2.8",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=oss-security\u0026m=125881481222441\u0026w=2"
},
{
"name": "[dovecot-news] 20091120 v1.2.8 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot-news/2009-November/000143.html"
},
{
"name": "SUSE-SR:2010:001",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html"
},
{
"name": "ADV-2009-3306",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/3306"
},
{
"name": "[oss-security] 20091123 Re: CVE request: v1.2.8 released to fix the 0777 base_dir creation issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=oss-security\u0026m=125900267208712\u0026w=2"
},
{
"name": "[oss-security] 20091120 CVE request: v1.2.8 released to fix the 0777 base_dir creation issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=oss-security\u0026m=125871729029145\u0026w=2"
},
{
"name": "37084",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/37084"
},
{
"name": "MDVSA-2009:306",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:306"
},
{
"name": "[oss-security] 20091123 Re: CVE Request - Dovecot - 1.2.8",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=oss-security\u0026m=125900271508796\u0026w=2"
},
{
"name": "dovecot-basedir-privilege-escalation(54363)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54363"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-11-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "37443",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/37443"
},
{
"name": "60316",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/60316"
},
{
"name": "[oss-security] 20091121 CVE Request - Dovecot - 1.2.8",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=oss-security\u0026m=125881481222441\u0026w=2"
},
{
"name": "[dovecot-news] 20091120 v1.2.8 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot-news/2009-November/000143.html"
},
{
"name": "SUSE-SR:2010:001",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html"
},
{
"name": "ADV-2009-3306",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/3306"
},
{
"name": "[oss-security] 20091123 Re: CVE request: v1.2.8 released to fix the 0777 base_dir creation issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=oss-security\u0026m=125900267208712\u0026w=2"
},
{
"name": "[oss-security] 20091120 CVE request: v1.2.8 released to fix the 0777 base_dir creation issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=oss-security\u0026m=125871729029145\u0026w=2"
},
{
"name": "37084",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/37084"
},
{
"name": "MDVSA-2009:306",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:306"
},
{
"name": "[oss-security] 20091123 Re: CVE Request - Dovecot - 1.2.8",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=oss-security\u0026m=125900271508796\u0026w=2"
},
{
"name": "dovecot-basedir-privilege-escalation(54363)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54363"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2009-3897",
"datePublished": "2009-11-24T17:00:00",
"dateReserved": "2009-11-05T00:00:00",
"dateUpdated": "2024-08-07T06:45:50.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-3420
Vulnerability from cvelistv5
Published
2017-09-19 15:00
Modified
2024-08-06 05:47
Severity ?
EPSS score ?
Summary
The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service (login process crash) via vectors related to handshake failures.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2015/04/28/4 | mailing-list, x_refsource_MLIST | |
| https://dovecot.org/pipermail/dovecot/2015-April/100618.html | mailing-list, x_refsource_MLIST | |
| https://dovecot.org/pipermail/dovecot-news/2015-May/000292.html | mailing-list, x_refsource_MLIST | |
| http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158261.html | vendor-advisory, x_refsource_FEDORA | |
| http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157030.html | vendor-advisory, x_refsource_FEDORA | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1216057 | x_refsource_CONFIRM | |
| http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158236.html | vendor-advisory, x_refsource_FEDORA | |
| http://www.openwall.com/lists/oss-security/2015/04/27/1 | mailing-list, x_refsource_MLIST | |
| http://www.securityfocus.com/bid/74335 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:47:57.729Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20150428 Re: Re: CVE request: Dovecot remote DoS on TLS connections",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/04/28/4"
},
{
"name": "[dovecot] 20150424 [patch] TLS Handshake failures can crash imap-login",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://dovecot.org/pipermail/dovecot/2015-April/100618.html"
},
{
"name": "[dovecot-news] 20150513 [Dovecot-news] v2.2.17 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2015-May/000292.html"
},
{
"name": "FEDORA-2015-7159",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158261.html"
},
{
"name": "FEDORA-2015-7156",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157030.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1216057"
},
{
"name": "FEDORA-2015-7089",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158236.html"
},
{
"name": "[oss-security] 20150427 Re: CVE request: Dovecot remote DoS on TLS connections",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/04/27/1"
},
{
"name": "74335",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/74335"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-04-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service (login process crash) via vectors related to handshake failures."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-19T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20150428 Re: Re: CVE request: Dovecot remote DoS on TLS connections",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/04/28/4"
},
{
"name": "[dovecot] 20150424 [patch] TLS Handshake failures can crash imap-login",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://dovecot.org/pipermail/dovecot/2015-April/100618.html"
},
{
"name": "[dovecot-news] 20150513 [Dovecot-news] v2.2.17 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2015-May/000292.html"
},
{
"name": "FEDORA-2015-7159",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158261.html"
},
{
"name": "FEDORA-2015-7156",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157030.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1216057"
},
{
"name": "FEDORA-2015-7089",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158236.html"
},
{
"name": "[oss-security] 20150427 Re: CVE request: Dovecot remote DoS on TLS connections",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/04/27/1"
},
{
"name": "74335",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/74335"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-3420",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service (login process crash) via vectors related to handshake failures."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20150428 Re: Re: CVE request: Dovecot remote DoS on TLS connections",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/04/28/4"
},
{
"name": "[dovecot] 20150424 [patch] TLS Handshake failures can crash imap-login",
"refsource": "MLIST",
"url": "https://dovecot.org/pipermail/dovecot/2015-April/100618.html"
},
{
"name": "[dovecot-news] 20150513 [Dovecot-news] v2.2.17 released",
"refsource": "MLIST",
"url": "https://dovecot.org/pipermail/dovecot-news/2015-May/000292.html"
},
{
"name": "FEDORA-2015-7159",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158261.html"
},
{
"name": "FEDORA-2015-7156",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157030.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1216057",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1216057"
},
{
"name": "FEDORA-2015-7089",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158236.html"
},
{
"name": "[oss-security] 20150427 Re: CVE request: Dovecot remote DoS on TLS connections",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/04/27/1"
},
{
"name": "74335",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/74335"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-3420",
"datePublished": "2017-09-19T15:00:00",
"dateReserved": "2015-04-27T00:00:00",
"dateUpdated": "2024-08-06T05:47:57.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-10967
Vulnerability from cvelistv5
Published
2020-05-18 14:02
Modified
2024-08-04 11:21
Severity ?
EPSS score ?
Summary
In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:14.414Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"name": "[oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"name": "USN-4361-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4361-1/"
},
{
"name": "20200519 Multiple vulnerabilities in Dovecot IMAP server",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2020/May/37"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html"
},
{
"name": "DSA-4690",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4690"
},
{
"name": "FEDORA-2020-1dee17d880",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/"
},
{
"name": "openSUSE-SU-2020:0720",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html"
},
{
"name": "FEDORA-2020-b60344c987",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/"
},
{
"name": "FEDORA-2020-cd8b8f887b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"name": "FEDORA-2020-b8ebc4201e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"name": "FEDORA-2020-d737c57172",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:L/C:N/I:N/PR:N/S:U/UI:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-13T21:06:08",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dovecot.org/security"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"name": "[oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"name": "USN-4361-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4361-1/"
},
{
"name": "20200519 Multiple vulnerabilities in Dovecot IMAP server",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2020/May/37"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html"
},
{
"name": "DSA-4690",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4690"
},
{
"name": "FEDORA-2020-1dee17d880",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/"
},
{
"name": "openSUSE-SU-2020:0720",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html"
},
{
"name": "FEDORA-2020-b60344c987",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/"
},
{
"name": "FEDORA-2020-cd8b8f887b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"name": "FEDORA-2020-b8ebc4201e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"name": "FEDORA-2020-d737c57172",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-10967",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:L/C:N/I:N/PR:N/S:U/UI:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dovecot.org/security",
"refsource": "MISC",
"url": "https://dovecot.org/security"
},
{
"name": "https://www.openwall.com/lists/oss-security/2020/05/18/1",
"refsource": "CONFIRM",
"url": "https://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"name": "[oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"name": "USN-4361-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4361-1/"
},
{
"name": "20200519 Multiple vulnerabilities in Dovecot IMAP server",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2020/May/37"
},
{
"name": "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html"
},
{
"name": "DSA-4690",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4690"
},
{
"name": "FEDORA-2020-1dee17d880",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/"
},
{
"name": "openSUSE-SU-2020:0720",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html"
},
{
"name": "FEDORA-2020-b60344c987",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/"
},
{
"name": "FEDORA-2020-cd8b8f887b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"name": "FEDORA-2020-b8ebc4201e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"name": "FEDORA-2020-d737c57172",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-10967",
"datePublished": "2020-05-18T14:02:55",
"dateReserved": "2020-03-26T00:00:00",
"dateUpdated": "2024-08-04T11:21:14.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-0745
Vulnerability from cvelistv5
Published
2010-05-20 17:00
Modified
2024-08-07 00:59
Severity ?
EPSS score ?
Summary
Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows remote attackers to cause a denial of service (CPU consumption) via long headers in an e-mail message.
References
| ▼ | URL | Tags |
|---|---|---|
| http://security-tracker.debian.org/tracker/CVE-2010-0745 | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2010/1107 | vdb-entry, x_refsource_VUPEN | |
| http://dovecot.org/pipermail/dovecot/2010-February/047190.html | mailing-list, x_refsource_MLIST | |
| http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html | vendor-advisory, x_refsource_SUSE | |
| http://www.mandriva.com/security/advisories?name=MDVSA-2010:104 | vendor-advisory, x_refsource_MANDRIVA | |
| https://bugzilla.redhat.com/show_bug.cgi?id=572268 | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2010/1226 | vdb-entry, x_refsource_VUPEN | |
| http://www.openwall.com/lists/oss-security/2010/03/10/6 | mailing-list, x_refsource_MLIST | |
| http://dovecot.org/list/dovecot-news/2010-March/000152.html | mailing-list, x_refsource_MLIST | |
| http://marc.info/?l=oss-security&m=127013715227551&w=2 | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:59:39.007Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://security-tracker.debian.org/tracker/CVE-2010-0745"
},
{
"name": "ADV-2010-1107",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/1107"
},
{
"name": "[dovecot] 20100227 Possible CPU Denial-Of-Service attack to dovecot IMAP.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://dovecot.org/pipermail/dovecot/2010-February/047190.html"
},
{
"name": "SUSE-SR:2010:011",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html"
},
{
"name": "MDVSA-2010:104",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:104"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=572268"
},
{
"name": "ADV-2010-1226",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/1226"
},
{
"name": "[oss-security] 20100310 CVE Request -- Dovecot v1.2.11 -- DoS (excessive CPU use) by processing email with huge header",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2010/03/10/6"
},
{
"name": "[dovecot-news] 20100308 v1.2.11 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://dovecot.org/list/dovecot-news/2010-March/000152.html"
},
{
"name": "[oss-security] 20100401 Re: CVE Request -- Dovecot v1.2.11 -- DoS (excessive CPU use) by processing email with huge header",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=oss-security\u0026m=127013715227551\u0026w=2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-02-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows remote attackers to cause a denial of service (CPU consumption) via long headers in an e-mail message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-04-30T09:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://security-tracker.debian.org/tracker/CVE-2010-0745"
},
{
"name": "ADV-2010-1107",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/1107"
},
{
"name": "[dovecot] 20100227 Possible CPU Denial-Of-Service attack to dovecot IMAP.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://dovecot.org/pipermail/dovecot/2010-February/047190.html"
},
{
"name": "SUSE-SR:2010:011",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html"
},
{
"name": "MDVSA-2010:104",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:104"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=572268"
},
{
"name": "ADV-2010-1226",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/1226"
},
{
"name": "[oss-security] 20100310 CVE Request -- Dovecot v1.2.11 -- DoS (excessive CPU use) by processing email with huge header",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2010/03/10/6"
},
{
"name": "[dovecot-news] 20100308 v1.2.11 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://dovecot.org/list/dovecot-news/2010-March/000152.html"
},
{
"name": "[oss-security] 20100401 Re: CVE Request -- Dovecot v1.2.11 -- DoS (excessive CPU use) by processing email with huge header",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=oss-security\u0026m=127013715227551\u0026w=2"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-0745",
"datePublished": "2010-05-20T17:00:00",
"dateReserved": "2010-02-26T00:00:00",
"dateUpdated": "2024-08-07T00:59:39.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-4578
Vulnerability from cvelistv5
Published
2008-10-15 20:00
Modified
2024-08-07 10:24
Severity ?
EPSS score ?
Summary
The ACL plugin in Dovecot before 1.1.4 allows attackers to bypass intended access restrictions by using the "k" right to create unauthorized "parent/child/child" mailboxes.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/32164 | third-party-advisory, x_refsource_SECUNIA | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/45669 | vdb-entry, x_refsource_XF | |
| http://secunia.com/advisories/33149 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.vupen.com/english/advisories/2008/2745 | vdb-entry, x_refsource_VUPEN | |
| http://www.securityfocus.com/bid/31587 | vdb-entry, x_refsource_BID | |
| http://www.mandriva.com/security/advisories?name=MDVSA-2008:232 | vendor-advisory, x_refsource_MANDRIVA | |
| http://security.gentoo.org/glsa/glsa-200812-16.xml | vendor-advisory, x_refsource_GENTOO | |
| http://bugs.gentoo.org/show_bug.cgi?id=240409 | x_refsource_CONFIRM | |
| http://www.dovecot.org/list/dovecot-news/2008-October/000085.html | mailing-list, x_refsource_MLIST | |
| http://www.securityfocus.com/archive/1/498498/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:24:19.353Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "32164",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32164"
},
{
"name": "dovecot-acl-mailbox-security-bypass(45669)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45669"
},
{
"name": "33149",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/33149"
},
{
"name": "ADV-2008-2745",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/2745"
},
{
"name": "31587",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/31587"
},
{
"name": "MDVSA-2008:232",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232"
},
{
"name": "GLSA-200812-16",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=240409"
},
{
"name": "[Dovecot-news] 20081005 v1.1.4 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html"
},
{
"name": "20081119 Re: [ MDVSA-2008:232 ] dovecot",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/498498/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-10-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The ACL plugin in Dovecot before 1.1.4 allows attackers to bypass intended access restrictions by using the \"k\" right to create unauthorized \"parent/child/child\" mailboxes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "32164",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32164"
},
{
"name": "dovecot-acl-mailbox-security-bypass(45669)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45669"
},
{
"name": "33149",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/33149"
},
{
"name": "ADV-2008-2745",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/2745"
},
{
"name": "31587",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/31587"
},
{
"name": "MDVSA-2008:232",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232"
},
{
"name": "GLSA-200812-16",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=240409"
},
{
"name": "[Dovecot-news] 20081005 v1.1.4 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html"
},
{
"name": "20081119 Re: [ MDVSA-2008:232 ] dovecot",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/498498/100/0/threaded"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2008-4578",
"datePublished": "2008-10-15T20:00:00",
"dateReserved": "2008-10-15T00:00:00",
"dateUpdated": "2024-08-07T10:24:19.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-2167
Vulnerability from cvelistv5
Published
2011-05-24 23:00
Modified
2024-08-06 22:53
Severity ?
EPSS score ?
Summary
script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.dovecot.org/doc/NEWS-2.0 | x_refsource_CONFIRM | |
| http://dovecot.org/pipermail/dovecot/2011-May/059085.html | mailing-list, x_refsource_MLIST | |
| http://rhn.redhat.com/errata/RHSA-2013-0520.html | vendor-advisory, x_refsource_REDHAT | |
| http://secunia.com/advisories/52311 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/48003 | vdb-entry, x_refsource_BID | |
| http://openwall.com/lists/oss-security/2011/05/18/4 | mailing-list, x_refsource_MLIST | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/67674 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T22:53:16.945Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.dovecot.org/doc/NEWS-2.0"
},
{
"name": "[dovecot] 20110511 v2.0.13 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://dovecot.org/pipermail/dovecot/2011-May/059085.html"
},
{
"name": "RHSA-2013:0520",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0520.html"
},
{
"name": "52311",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/52311"
},
{
"name": "48003",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/48003"
},
{
"name": "[oss-security] 20110518 Dovecot releases",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2011/05/18/4"
},
{
"name": "dovecot-scriptlogin-dir-traversal(67674)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67674"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-05-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.dovecot.org/doc/NEWS-2.0"
},
{
"name": "[dovecot] 20110511 v2.0.13 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://dovecot.org/pipermail/dovecot/2011-May/059085.html"
},
{
"name": "RHSA-2013:0520",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0520.html"
},
{
"name": "52311",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/52311"
},
{
"name": "48003",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/48003"
},
{
"name": "[oss-security] 20110518 Dovecot releases",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2011/05/18/4"
},
{
"name": "dovecot-scriptlogin-dir-traversal(67674)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67674"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-2167",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.dovecot.org/doc/NEWS-2.0",
"refsource": "CONFIRM",
"url": "http://www.dovecot.org/doc/NEWS-2.0"
},
{
"name": "[dovecot] 20110511 v2.0.13 released",
"refsource": "MLIST",
"url": "http://dovecot.org/pipermail/dovecot/2011-May/059085.html"
},
{
"name": "RHSA-2013:0520",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0520.html"
},
{
"name": "52311",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/52311"
},
{
"name": "48003",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/48003"
},
{
"name": "[oss-security] 20110518 Dovecot releases",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2011/05/18/4"
},
{
"name": "dovecot-scriptlogin-dir-traversal(67674)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67674"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-2167",
"datePublished": "2011-05-24T23:00:00",
"dateReserved": "2011-05-24T00:00:00",
"dateUpdated": "2024-08-06T22:53:16.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-8652
Vulnerability from cvelistv5
Published
2017-02-16 18:00
Modified
2024-08-06 02:27
Severity ?
EPSS score ?
Summary
The auth component in Dovecot before 2.2.27, when auth-policy is configured, allows a remote attackers to cause a denial of service (crash) by aborting authentication without setting a username.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/94639 | vdb-entry, x_refsource_BID | |
| http://www.openwall.com/lists/oss-security/2016/12/02/4 | mailing-list, x_refsource_MLIST | |
| http://dovecot.org/pipermail/dovecot-news/2016-December/000333.html | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2016/12/05/12 | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:27:41.255Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "94639",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94639"
},
{
"name": "[oss-security] 20161202 Important vulnerability in Dovecot (CVE-2016-8652)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/12/02/4"
},
{
"name": "[dovecot-news] 20161203 v2.2.27 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://dovecot.org/pipermail/dovecot-news/2016-December/000333.html"
},
{
"name": "[oss-security] 20161205 Re: Important vulnerability in Dovecot (CVE-2016-8652)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/12/05/12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-12-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The auth component in Dovecot before 2.2.27, when auth-policy is configured, allows a remote attackers to cause a denial of service (crash) by aborting authentication without setting a username."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-16T17:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "94639",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94639"
},
{
"name": "[oss-security] 20161202 Important vulnerability in Dovecot (CVE-2016-8652)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/12/02/4"
},
{
"name": "[dovecot-news] 20161203 v2.2.27 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://dovecot.org/pipermail/dovecot-news/2016-December/000333.html"
},
{
"name": "[oss-security] 20161205 Re: Important vulnerability in Dovecot (CVE-2016-8652)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/12/05/12"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2016-8652",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The auth component in Dovecot before 2.2.27, when auth-policy is configured, allows a remote attackers to cause a denial of service (crash) by aborting authentication without setting a username."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "94639",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94639"
},
{
"name": "[oss-security] 20161202 Important vulnerability in Dovecot (CVE-2016-8652)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/12/02/4"
},
{
"name": "[dovecot-news] 20161203 v2.2.27 released",
"refsource": "MLIST",
"url": "http://dovecot.org/pipermail/dovecot-news/2016-December/000333.html"
},
{
"name": "[oss-security] 20161205 Re: Important vulnerability in Dovecot (CVE-2016-8652)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/12/05/12"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-8652",
"datePublished": "2017-02-16T18:00:00",
"dateReserved": "2016-10-12T00:00:00",
"dateUpdated": "2024-08-06T02:27:41.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2019-08-29 14:15
Modified
2024-11-21 04:21
Severity ?
Summary
In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| dovecot | dovecot | * | |
| dovecot | pigeonhole | * | |
| debian | debian_linux | 8.0 | |
| fedoraproject | fedora | 30 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "88D5E505-A17F-45AE-8E1D-DA0F8E5AB532",
"versionEndExcluding": "2.2.36.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8EDA13EB-417C-4DA7-A7F8-719D3B13F8F8",
"versionEndExcluding": "2.3.7.2",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:pigeonhole:*:*:*:*:*:*:*:*",
"matchCriteriaId": "62A7D824-F6F2-4988-9FBA-3859B376AEB8",
"versionEndExcluding": "0.5.7.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because \u0027\\0\u0027 characters are mishandled, and can lead to out-of-bounds writes and remote code execution."
},
{
"lang": "es",
"value": "En Dovecot versiones anteriores a 2.2.36.4 y versiones 2.3.x anteriores a 2.3.7.2 (y Pigeonhole versiones anteriores a 0.5.7.2), el procesamiento del protocolo puede fallar para cadenas entre comillas. Esto ocurre porque los caracteres \u0027\\0\u0027 se manejan inapropiadamente y pueden generar escrituras fuera de l\u00edmites y ejecuci\u00f3n de c\u00f3digo remota."
}
],
"id": "CVE-2019-11500",
"lastModified": "2024-11-21T04:21:12.797",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-29T14:15:11.037",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/08/28/3"
},
{
"source": "cve@mitre.org",
"url": "https://access.redhat.com/errata/RHSA-2019:2822"
},
{
"source": "cve@mitre.org",
"url": "https://access.redhat.com/errata/RHSA-2019:2836"
},
{
"source": "cve@mitre.org",
"url": "https://access.redhat.com/errata/RHSA-2019:2885"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2019-August/000417.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00035.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GYTZLLDNIFWT7D7JSB25ERJNMOR4CQ3/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KVHY3MU2OK2EWZJFGNDSAOMD42L7DFPX/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSJVVVRAE3SITC2ZLGCPMFDN3WVYZBWF/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/201908-29"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dovecot.org/security.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/08/28/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2019:2822"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2019:2836"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2019:2885"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2019-August/000417.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00035.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GYTZLLDNIFWT7D7JSB25ERJNMOR4CQ3/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KVHY3MU2OK2EWZJFGNDSAOMD42L7DFPX/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSJVVVRAE3SITC2ZLGCPMFDN3WVYZBWF/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/201908-29"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dovecot.org/security.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-03-10 23:44
Modified
2024-11-21 00:43
Severity ?
Summary
Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass the password check via a password containing TAB characters, which are treated as argument delimiters that enable the skip_password_check field to be specified.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B61FA0DF-B597-448D-9274-F881D3DF2372",
"versionEndIncluding": "1.0.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:rc2:*:*:*:*:*:*",
"matchCriteriaId": "88124DE0-578C-4E06-8E80-E59F18B7C1D3",
"versionEndIncluding": "1.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass the password check via a password containing TAB characters, which are treated as argument delimiters that enable the skip_password_check field to be specified."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n de argumentos en Dovecot 1.0.x anterior a 1.0.13, y 1.1.x anterior a 1.1.rc3, cuando se utiliza passdbs con bloqueo, permite a atacantes remotos evitar la comprobaci\u00f3n de contrase\u00f1a a trav\u00e9s de una contrase\u00f1a que contenga caracteres TAB, los cuales son tratados como delimitadores de los argumentos que permiten que el fichero skip_password_check sea especificado."
}
],
"id": "CVE-2008-1218",
"lastModified": "2024-11-21T00:43:58.627",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-03-10T23:44:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29226"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29295"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29364"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29385"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29396"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29557"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/32151"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
},
{
"source": "cve@mitre.org",
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2008/dsa-1516"
},
{
"source": "cve@mitre.org",
"url": "http://www.dovecot.org/list/dovecot-news/2008-March/000064.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.dovecot.org/list/dovecot-news/2008-March/000065.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/489481/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/28181"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41085"
},
{
"source": "cve@mitre.org",
"url": "https://issues.rpath.com/browse/RPL-2341"
},
{
"source": "cve@mitre.org",
"url": "https://usn.ubuntu.com/593-1/"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/5257"
},
{
"source": "cve@mitre.org",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
},
{
"source": "cve@mitre.org",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29226"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29295"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29364"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29385"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29396"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29557"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/32151"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2008/dsa-1516"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.dovecot.org/list/dovecot-news/2008-March/000064.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.dovecot.org/list/dovecot-news/2008-March/000065.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/489481/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/28181"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41085"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://issues.rpath.com/browse/RPL-2341"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://usn.ubuntu.com/593-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/5257"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vendorComments": [
{
"comment": "Not vulnerable. This issue did not affect versions of Dovecot as shipped with Red Hat Enterprise Linux 4 or 5.",
"lastModified": "2008-03-12T00:00:00",
"organization": "Red Hat"
}
],
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-255"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-12-13 17:15
Modified
2024-11-21 04:35
Severity ?
Summary
In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| fedoraproject | fedora | 30 | |
| fedoraproject | fedora | 31 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0AED0B7F-4375-494E-80A4-1F2A2AA3D929",
"versionEndExcluding": "2.3.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient."
},
{
"lang": "es",
"value": "En Dovecot versiones anteriores a 2.3.9.2, un atacante puede bloquear un controlador de notificaci\u00f3n push con un correo electr\u00f3nico dise\u00f1ado cuando notificaciones push son usadas, debido a una desreferencia del puntero NULL. El correo electr\u00f3nico debe usar una direcci\u00f3n de grupo como remitente o destinatario."
}
],
"id": "CVE-2019-19722",
"lastModified": "2024-11-21T04:35:15.320",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-13T17:15:13.333",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/12/13/3"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/list/dovecot-news/2019-December/000428.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2019-December/000428.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OZCJ3RBA4WIYGN7SOV4TW2AIHXPZATK/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PPB7PG5BM3MC5ZF2KHQ3UR7CZIO42BB/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/12/13/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/list/dovecot-news/2019-December/000428.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2019-December/000428.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OZCJ3RBA4WIYGN7SOV4TW2AIHXPZATK/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PPB7PG5BM3MC5ZF2KHQ3UR7CZIO42BB/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-476"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-11-24 17:30
Modified
2024-11-21 01:08
Severity ?
Summary
Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A697E475-79C0-45FD-9529-022CBC15921D",
"versionEndExcluding": "1.2.8",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself."
},
{
"lang": "es",
"value": "Dovecot v1.2.x anterior v1.2.8 establece permisos 0777 durante la creaci\u00f3n de ciertos directorios en el momento de la instalaci\u00f3n, permitiendo a usuarios locales acceder a las cuentas de usuarios por reemplazamiento del socket auth, relacionados con los directorios padre del directorio base_dir, y probablemente con el propio directorio base_dir\r\n"
}
],
"id": "CVE-2009-3897",
"lastModified": "2024-11-21T01:08:28.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2009-11-24T17:30:00.407",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Patch"
],
"url": "http://marc.info/?l=oss-security\u0026m=125871729029145\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List"
],
"url": "http://marc.info/?l=oss-security\u0026m=125881481222441\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Patch"
],
"url": "http://marc.info/?l=oss-security\u0026m=125900267208712\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List"
],
"url": "http://marc.info/?l=oss-security\u0026m=125900271508796\u0026w=2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/37443"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Patch",
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot-news/2009-November/000143.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Not Applicable"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:306"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://www.osvdb.org/60316"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link",
"Patch",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/37084"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Permissions Required",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/3306"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54363"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "http://marc.info/?l=oss-security\u0026m=125871729029145\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://marc.info/?l=oss-security\u0026m=125881481222441\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "http://marc.info/?l=oss-security\u0026m=125900267208712\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://marc.info/?l=oss-security\u0026m=125900271508796\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/37443"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot-news/2009-November/000143.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:306"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.osvdb.org/60316"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Patch",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/37084"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Permissions Required",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/3306"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54363"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-11-04 00:58
Modified
2024-11-21 00:52
Severity ?
Summary
The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka "invalid message address parsing bug."
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "71057F4B-3040-4771-B989-9F3453934AAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1730EBB1-4071-4A23-B770-D564AF422273",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka \"invalid message address parsing bug.\""
},
{
"lang": "es",
"value": "La caracter\u00edstica de an\u00e1lisis sint\u00e1ctico en Dovecot v1.1.4 y v1.1.5, cuando usa el comando FETCH ENVELOPE en el cliente IMAP, permite a atacantes remotos causar denegaci\u00f3n de servicio (ca\u00edda persistente) a trav\u00e9s de un correo electr\u00f3nico con una direcci\u00f3n From mal formada, que dispara una error de aserci\u00f3n, tambi\u00e9n conocido como \"error de an\u00e1lisis de direcci\u00f3n de mensaje inv\u00e1lido\"."
}
],
"id": "CVE-2008-4907",
"lastModified": "2024-11-21T00:52:48.727",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-11-04T00:58:40.277",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32479"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/32677"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/33149"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"source": "cve@mitre.org",
"url": "http://www.dovecot.org/list/dovecot-news/2008-October/000089.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/31997"
},
{
"source": "cve@mitre.org",
"url": "http://www.ubuntu.com/usn/usn-666-1"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46227"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32479"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/32677"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/33149"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.dovecot.org/list/dovecot-news/2008-October/000089.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/31997"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/usn-666-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46227"
}
],
"sourceIdentifier": "cve@mitre.org",
"vendorComments": [
{
"comment": "Not vulnerable. This issue did not affect the versions of the dovecot package, as shipped with Red Hat Enterprise Linux 4 or 5.",
"lastModified": "2008-11-21T00:00:00",
"organization": "Red Hat"
}
],
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-09-24 19:00
Modified
2024-11-21 01:18
Severity ?
Summary
The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to newly created mailboxes in certain configurations, which might allow remote attackers to read mailboxes that have unintended weak ACLs.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | 1.2.0 | |
| dovecot | dovecot | 1.2.1 | |
| dovecot | dovecot | 1.2.2 | |
| dovecot | dovecot | 1.2.3 | |
| dovecot | dovecot | 1.2.4 | |
| dovecot | dovecot | 1.2.5 | |
| dovecot | dovecot | 1.2.6 | |
| dovecot | dovecot | 1.2.7 | |
| dovecot | dovecot | 1.2.8 | |
| dovecot | dovecot | 1.2.9 | |
| dovecot | dovecot | 1.2.10 | |
| dovecot | dovecot | 1.2.11 | |
| dovecot | dovecot | 1.2.12 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD2D1C99-0594-4378-AA6C-EC2E890E41FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "96F35305-79B4-49CD-A89F-A559CA9EEB33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EDC7E277-A5AE-4025-8412-E715D1C8C0F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0DBE1D51-B9D5-4E59-81F6-C6937DA78637",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "30B37ACE-64EA-49E7-B836-C3F05CAE0392",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1204F5C2-916D-4C27-A5C4-5B5E0AAA7322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A0C46C8A-EA49-4356-BA6B-8EC0F2E70B3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "96F54038-B17B-40C0-9C2E-20AF55E7602B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "BBB0B72A-1C7D-4F89-BE89-CD82F667CB76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "FEF89EB6-CBF5-48DF-8FDD-2C0AE0266B3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "41B2B3D8-EB69-4BD8-ACD5-CB6BFDE6B2FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E1A909DC-0D77-4690-87D2-51A7564B63B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2F767F-5D7F-40AC-BA57-4E819F486301",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to newly created mailboxes in certain configurations, which might allow remote attackers to read mailboxes that have unintended weak ACLs."
},
{
"lang": "es",
"value": "El complemento ACL de Dovecot v1.2.x anteriores a v1.2.13 propaga las ACLs INBOX a nuevos buzones de correo en determinadas configuraciones, lo que puede permitir a atacantes remotos leer buzones de correo que tienen ACLs d\u00e9biles imprevistos."
}
],
"id": "CVE-2010-3304",
"lastModified": "2024-11-21T01:18:28.573",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-09-24T19:00:04.980",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/43220"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot-news/2010-July/000163.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2010/09/16/14"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2010/09/16/17"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/41964"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2010/2840"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2011/0301"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/43220"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot-news/2010-July/000163.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2010/09/16/14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2010/09/16/17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/41964"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2010/2840"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2011/0301"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-12 16:15
Modified
2024-11-21 04:59
Severity ?
Summary
In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 | |
| fedoraproject | fedora | 31 | |
| fedoraproject | fedora | 32 | |
| fedoraproject | fedora | 33 | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 20.04 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "346B659D-F8B1-43E5-A50E-2FC6ED1F6536",
"versionEndExcluding": "2.3.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts."
},
{
"lang": "es",
"value": "En Dovecot versiones anteriores a 2.3.11.3, la recursividad no controlada en submission, lmtp, y lda permite a atacantes remotos causar una denegaci\u00f3n de servicio (consumo de recursos) por medio de un mensaje de correo electr\u00f3nico dise\u00f1ado con partes MIME profundamente anidadas"
}
],
"id": "CVE-2020-12100",
"lastModified": "2024-11-21T04:59:14.610",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-12T16:15:11.760",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Jan/18"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2020/08/12/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/3"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202009-02"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4456-1/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4456-2/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4745"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Jan/18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2020/08/12/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202009-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4456-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4456-2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4745"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-674"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-10-06 17:00
Modified
2024-11-21 01:19
Severity ?
Summary
plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving more specific entries that occur after less specific entries, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | 1.2.0 | |
| dovecot | dovecot | 1.2.1 | |
| dovecot | dovecot | 1.2.2 | |
| dovecot | dovecot | 1.2.3 | |
| dovecot | dovecot | 1.2.4 | |
| dovecot | dovecot | 1.2.5 | |
| dovecot | dovecot | 1.2.6 | |
| dovecot | dovecot | 1.2.7 | |
| dovecot | dovecot | 1.2.8 | |
| dovecot | dovecot | 1.2.9 | |
| dovecot | dovecot | 1.2.10 | |
| dovecot | dovecot | 1.2.11 | |
| dovecot | dovecot | 1.2.12 | |
| dovecot | dovecot | 1.2.13 | |
| dovecot | dovecot | 1.2.14 | |
| dovecot | dovecot | 2.0.0 | |
| dovecot | dovecot | 2.0.1 | |
| dovecot | dovecot | 2.0.2 | |
| dovecot | dovecot | 2.0.3 | |
| dovecot | dovecot | 2.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD2D1C99-0594-4378-AA6C-EC2E890E41FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "96F35305-79B4-49CD-A89F-A559CA9EEB33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EDC7E277-A5AE-4025-8412-E715D1C8C0F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0DBE1D51-B9D5-4E59-81F6-C6937DA78637",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "30B37ACE-64EA-49E7-B836-C3F05CAE0392",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1204F5C2-916D-4C27-A5C4-5B5E0AAA7322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A0C46C8A-EA49-4356-BA6B-8EC0F2E70B3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "96F54038-B17B-40C0-9C2E-20AF55E7602B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "BBB0B72A-1C7D-4F89-BE89-CD82F667CB76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "FEF89EB6-CBF5-48DF-8FDD-2C0AE0266B3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "41B2B3D8-EB69-4BD8-ACD5-CB6BFDE6B2FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E1A909DC-0D77-4690-87D2-51A7564B63B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2F767F-5D7F-40AC-BA57-4E819F486301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "68296C7C-B72C-46E7-A280-5E86E1470FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "72E1AF54-0446-49FB-A6B8-AF14833A3D0C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AEE31582-7AE3-4131-BDE9-5654DE58FAF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "65102391-C9AF-4CA3-AC43-0C52A7A37363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "593DF083-5960-4BD5-AFC4-668B30E32E59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DCC5E56-D31E-45F0-B18B-D98C219DEBAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D969ED92-F429-4F67-8366-31A73CEE6A47",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving more specific entries that occur after less specific entries, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox."
},
{
"lang": "es",
"value": "plugins/acl/acl-backend-vfile.c en Dovecot v1.2.x anterior a v1.2.15 y v2.0.x anterior a 2.0.5 interpreta una entrada ACL como una directiva a a\u00f1adir a los permisos concedidos por otra entrada ACL, en ciertas circunstancias involucrando entradas m\u00e1s espec\u00edficas que tienen lugar despu\u00e9s de entradas menos espec\u00edficas, lo que permite a usuarios autenticados remotamente evitar restricciones de acceso intencionadas a trav\u00e9s de una petici\u00f3n para leer o modificar un buz\u00f3n de correo."
}
],
"id": "CVE-2010-3707",
"lastModified": "2024-11-21T01:19:26.253",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-10-06T17:00:17.407",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=oss-security\u0026m=128620520732377\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=oss-security\u0026m=128622064325688\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/43220"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053451.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053452.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0600.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/2572"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2010/2840"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2011/0301"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=oss-security\u0026m=128620520732377\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=oss-security\u0026m=128622064325688\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/43220"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053451.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053452.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0600.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/2572"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2010/2840"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2011/0301"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-05-20 17:30
Modified
2024-11-21 01:12
Severity ?
Summary
Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows remote attackers to cause a denial of service (CPU consumption) via long headers in an e-mail message.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD2D1C99-0594-4378-AA6C-EC2E890E41FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "96F35305-79B4-49CD-A89F-A559CA9EEB33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EDC7E277-A5AE-4025-8412-E715D1C8C0F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0DBE1D51-B9D5-4E59-81F6-C6937DA78637",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "30B37ACE-64EA-49E7-B836-C3F05CAE0392",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1204F5C2-916D-4C27-A5C4-5B5E0AAA7322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A0C46C8A-EA49-4356-BA6B-8EC0F2E70B3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "96F54038-B17B-40C0-9C2E-20AF55E7602B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "BBB0B72A-1C7D-4F89-BE89-CD82F667CB76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "FEF89EB6-CBF5-48DF-8FDD-2C0AE0266B3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "41B2B3D8-EB69-4BD8-ACD5-CB6BFDE6B2FB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows remote attackers to cause a denial of service (CPU consumption) via long headers in an e-mail message."
},
{
"lang": "es",
"value": "Vulnerabilidad sin especificar en Dovecot v1.2.x anterior a 1.2.11 permite a atacantes remotos provocar una denegaci\u00f3n de servicio (consumo CPU) a trav\u00e9s de una larga cabecera en un mensaje de e-mail"
}
],
"id": "CVE-2010-0745",
"lastModified": "2024-11-21T01:12:52.473",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-05-20T17:30:01.287",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://dovecot.org/list/dovecot-news/2010-March/000152.html"
},
{
"source": "secalert@redhat.com",
"url": "http://dovecot.org/pipermail/dovecot/2010-February/047190.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=oss-security\u0026m=127013715227551\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://security-tracker.debian.org/tracker/CVE-2010-0745"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:104"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2010/03/10/6"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/1107"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2010/1226"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=572268"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://dovecot.org/list/dovecot-news/2010-March/000152.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://dovecot.org/pipermail/dovecot/2010-February/047190.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=oss-security\u0026m=127013715227551\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security-tracker.debian.org/tracker/CVE-2010-0745"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:104"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2010/03/10/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/1107"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2010/1226"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=572268"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-01-04 02:46
Modified
2024-11-21 00:40
Severity ?
Summary
Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E86FDDEF-12EF-4D0A-892D-A048C1FEFD74",
"versionEndIncluding": "1.0.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password."
},
{
"lang": "es",
"value": "Dovecot anterior a 1.0.10, con determinadas opciones de configuraci\u00f3n incluyendo el uso de %variables, no mantiene adecuadamente la cach\u00e9 LDAP+auth, lo cual podr\u00eda permitir a permite a usuarios autenticados remotamente identificarse como un usuario diferente que tiene la misma contrase\u00f1a."
}
],
"id": "CVE-2007-6598",
"lastModified": "2024-11-21T00:40:32.143",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-01-04T02:46:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://dovecot.org/list/dovecot-news/2007-December/000057.html"
},
{
"source": "cve@mitre.org",
"url": "http://dovecot.org/list/dovecot-news/2007-December/000058.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/39876"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/28227"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/28271"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/28404"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/28434"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/30342"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/32151"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2008/dsa-1457"
},
{
"source": "cve@mitre.org",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/485779/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/485787/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/27093"
},
{
"source": "cve@mitre.org",
"url": "http://www.ubuntu.com/usn/usn-567-1"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/0017"
},
{
"source": "cve@mitre.org",
"url": "https://issues.rpath.com/browse/RPL-2076"
},
{
"source": "cve@mitre.org",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10458"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://dovecot.org/list/dovecot-news/2007-December/000057.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://dovecot.org/list/dovecot-news/2007-December/000058.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/39876"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/28227"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/28271"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/28404"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/28434"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30342"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/32151"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2008/dsa-1457"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/485779/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/485787/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/27093"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/usn-567-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/0017"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://issues.rpath.com/browse/RPL-2076"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10458"
}
],
"sourceIdentifier": "cve@mitre.org",
"vendorComments": [
{
"comment": "This issue did not affect versions of Dovecot as shipped with Red Hat Enterprise Linux before version 5. An update to Red Hat Enterprise Linux 5 was released to correct this issue:\nhttps://rhn.redhat.com/errata/RHSA-2008-0297.html\n",
"lastModified": "2008-05-21T00:00:00",
"organization": "Red Hat"
}
],
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-10-15 20:08
Modified
2024-11-21 00:52
Severity ?
Summary
The ACL plugin in Dovecot before 1.1.4 allows attackers to bypass intended access restrictions by using the "k" right to create unauthorized "parent/child/child" mailboxes.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "13310053-191A-4931-BA90-2D6F8850A7CF",
"versionEndIncluding": "1.1.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:0.99.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D0616CCF-D278-4B6D-A58B-393BCA128CF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:0.99.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D3C7BE64-7C1E-4043-A1C5-D0A7377C01A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4240BD98-3C31-42CE-AF8F-045DD4BFC084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1C05ACA0-ED87-4DDF-94B6-8D25BE1790F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8A8C0C4A-F9DB-4BB7-BFC5-BEC22C3FE40B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B7E00B56-A1E5-4261-8349-37654AA9FB64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E66427AA-A9D4-413F-8354-EA61407307C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D74BE6C7-114D-4885-8472-FFE71C817B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4A349510-4D00-4978-93D9-3F9F5E0CD8DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B65B9EFD-1531-463C-992E-F0F16AABF9C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "34BA7146-5793-44F4-9569-9D868FE6E325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "B5078363-6B42-491B-A219-F8D8A86132BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "B1DDF093-B5C7-4AE5-B3D6-466C543AB2BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta1:*:*:*:*:*:*:*",
"matchCriteriaId": "C9FBEF6C-4A09-4661-BED0-8B5BC8BAF1AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta2:*:*:*:*:*:*:*",
"matchCriteriaId": "9D680474-C329-4DD0-B4EA-2406E27EC474",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta3:*:*:*:*:*:*:*",
"matchCriteriaId": "165A0D0B-C6B0-431F-BF36-223A27CD6A42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta4:*:*:*:*:*:*:*",
"matchCriteriaId": "92FB54D3-F856-4027-8AAF-6B05AE17D520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta5:*:*:*:*:*:*:*",
"matchCriteriaId": "34759794-747B-4770-8DB5-4E07AA8A15AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta6:*:*:*:*:*:*:*",
"matchCriteriaId": "8D5AF2A0-3289-47FA-B8DB-D5E28504F012",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta7:*:*:*:*:*:*:*",
"matchCriteriaId": "99268D48-CF82-450B-A033-D87AF4109531",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta8:*:*:*:*:*:*:*",
"matchCriteriaId": "B2E09737-8107-45C0-BFF1-FB4CF81564CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta9:*:*:*:*:*:*:*",
"matchCriteriaId": "280BE28D-B8A8-4E76-BC96-DB756C00B994",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc1:*:*:*:*:*:*:*",
"matchCriteriaId": "91E74D81-DF10-423A-8549-3BB5ED02B5A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc2:*:*:*:*:*:*:*",
"matchCriteriaId": "07D6853E-7E81-443D-8806-C8469217F55C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc3:*:*:*:*:*:*:*",
"matchCriteriaId": "D1BE4B6A-47A2-457B-B6B8-8FE5C2026A11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc4:*:*:*:*:*:*:*",
"matchCriteriaId": "7382F655-9B27-443D-9397-346FBEADEFDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc5:*:*:*:*:*:*:*",
"matchCriteriaId": "6F180045-A0DA-40A3-AD3E-F3402FB6456A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc6:*:*:*:*:*:*:*",
"matchCriteriaId": "C1A2FFE7-D008-47B4-80E7-AEC176918E06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc7:*:*:*:*:*:*:*",
"matchCriteriaId": "8C840337-7B31-476B-BBCD-65F4899925E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc8:*:*:*:*:*:*:*",
"matchCriteriaId": "545EF2F5-9BAE-4612-9958-70A5413818A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc9:*:*:*:*:*:*:*",
"matchCriteriaId": "E80096F8-46D9-42E3-8CDB-99ADA2CBD970",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc10:*:*:*:*:*:*:*",
"matchCriteriaId": "9E504866-3429-4A4C-8278-5C2753D356C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc11:*:*:*:*:*:*:*",
"matchCriteriaId": "30857130-636F-4719-9F1E-8F6369F40DAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc12:*:*:*:*:*:*:*",
"matchCriteriaId": "9843D7CE-4723-4200-AFD4-5B31545A287E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc13:*:*:*:*:*:*:*",
"matchCriteriaId": "54AF1D92-D89B-4DE4-9D47-72466873A4C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc14:*:*:*:*:*:*:*",
"matchCriteriaId": "64A8FCA5-1666-48F7-9689-37D9315813F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc15:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D517F3-F0A8-4362-89B9-0ED63515283F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc16:*:*:*:*:*:*:*",
"matchCriteriaId": "23883A94-559B-4655-82D4-F09868235771",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc17:*:*:*:*:*:*:*",
"matchCriteriaId": "520B52BF-FD23-429D-BAA4-E08DB84C82F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc18:*:*:*:*:*:*:*",
"matchCriteriaId": "0B7948AB-2061-4ADB-A01C-3CE8B47CCD19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc19:*:*:*:*:*:*:*",
"matchCriteriaId": "C24F6BFB-AA8C-441A-9026-809183D0350E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc20:*:*:*:*:*:*:*",
"matchCriteriaId": "C22A513A-A94A-4BC4-B5B7-3CCA166C9874",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc21:*:*:*:*:*:*:*",
"matchCriteriaId": "65038654-6B35-4502-BD74-F9F0954C5EF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc22:*:*:*:*:*:*:*",
"matchCriteriaId": "4307AA80-C0AC-4193-8353-D746DBF52FD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc23:*:*:*:*:*:*:*",
"matchCriteriaId": "0E95BAF5-FC78-4286-B6BD-464E9F08CF9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc24:*:*:*:*:*:*:*",
"matchCriteriaId": "0C6AA8FD-3692-4069-8980-9544044B8CE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc25:*:*:*:*:*:*:*",
"matchCriteriaId": "F22AADE9-D37D-439B-B934-8DA01A29BB87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc26:*:*:*:*:*:*:*",
"matchCriteriaId": "4ECCD893-A5EE-4696-80AA-FD9092548BDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc27:*:*:*:*:*:*:*",
"matchCriteriaId": "0B960D71-04E5-45F7-8DC2-45C341673FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc28:*:*:*:*:*:*:*",
"matchCriteriaId": "658E275E-8C2C-46EE-850A-14ADBD097E0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0_rc29:*:*:*:*:*:*:*",
"matchCriteriaId": "3AAE9E7C-49CC-48C3-B47C-CDC5802356A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8BE860F-A3C2-43E0-BC75-503C437DAADD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "9E6F249C-2793-46B5-A9E2-5EB3A62FF8E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4E57B06-8650-4374-B643-6FCBE3ABDAF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B0384E42-1506-4C08-AA5A-18B2A711C7F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F5DC1CE5-50B9-426E-B98A-224DC499AB15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ACL plugin in Dovecot before 1.1.4 allows attackers to bypass intended access restrictions by using the \"k\" right to create unauthorized \"parent/child/child\" mailboxes."
},
{
"lang": "es",
"value": "El plugin ACL en Dovecot anterior a 1.1.4 permite a atacantes remotos evitar las restricciones de acceso previstas utilizando la \"k\" derecha para crear buzones de correo \"parent/child/child\" no autorizados."
}
],
"id": "CVE-2008-4578",
"lastModified": "2024-11-21T00:52:01.117",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-10-15T20:08:02.700",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=240409"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32164"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/33149"
},
{
"source": "secalert@redhat.com",
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/498498/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/31587"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2008/2745"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45669"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=240409"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32164"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/33149"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/498498/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/31587"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/2745"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45669"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vendorComments": [
{
"comment": "The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 5.",
"lastModified": "2008-10-24T00:00:00",
"organization": "Red Hat"
}
],
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-04-24 17:29
Modified
2024-11-21 04:19
Severity ?
Summary
The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "707DA796-897B-4541-8690-FFBDDA756551",
"versionEndExcluding": "2.3.5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username."
},
{
"lang": "es",
"value": "El codificador JSON en Dovecot versiones anteriores a 2.3.5.2 permite a los atacantes bloquear repetidamente el servicio de autenticaci\u00f3n al intentar autenticarse con una secuencia UTF-8 no v\u00e1lida como nombre de usuario."
}
],
"id": "CVE-2019-10691",
"lastModified": "2024-11-21T04:19:45.653",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-24T17:29:00.397",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00000.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/18/3"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://dovecot.org/list/dovecot-news/2019-April/000406.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"source": "cve@mitre.org",
"url": "https://security.gentoo.org/glsa/201908-29"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/18/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://dovecot.org/list/dovecot-news/2019-April/000406.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/201908-29"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-05-18 14:15
Modified
2024-11-21 04:56
Severity ?
Summary
In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8B753CF9-8EB3-4925-9772-F6044915C907",
"versionEndExcluding": "2.3.10.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp."
},
{
"lang": "es",
"value": "En Dovecot versiones anteriores a 2.3.10.1, el env\u00edo no autenticado de par\u00e1metros malformados hacia un comando NOOP causa una Desreferencia del Puntero NULL y un bloqueo en submission-login o lmtp."
}
],
"id": "CVE-2020-10957",
"lastModified": "2024-11-21T04:56:27.067",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-18T14:15:11.717",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html"
},
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2020/May/37"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/"
},
{
"source": "cve@mitre.org",
"url": "https://usn.ubuntu.com/4361-1/"
},
{
"source": "cve@mitre.org",
"url": "https://www.debian.org/security/2020/dsa-4690"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2020/May/37"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://usn.ubuntu.com/4361-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2020/dsa-4690"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2020/05/18/1"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-476"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-17 19:15
Modified
2024-11-21 07:02
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://dovecot.org/security | Vendor Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://security.gentoo.org/glsa/202310-19 | Third Party Advisory | |
| cve@mitre.org | https://www.dovecot.org/download/ | Product | |
| cve@mitre.org | https://www.openwall.com/lists/oss-security/2022/07/08/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dovecot.org/security | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202310-19 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.dovecot.org/download/ | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openwall.com/lists/oss-security/2022/07/08/1 | Mailing List, Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "23962064-4385-496A-9651-128C6A5898F0",
"versionEndExcluding": "2.3.20",
"versionStartIncluding": "2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C2580849-4977-4475-9E1F-CFFA52793E36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user."
},
{
"lang": "es",
"value": "Se ha detectado un problema en el componente auth en Dovecot versiones 2.2 y 2.3 anteriores a 2.3.20. Cuando se presentan dos entradas de configuraci\u00f3n de passdb con los mismos ajustes de driver y args, pueden aplicarse ajustes incorrectos de username_filter y mechanism a las definiciones de passdb. Estos ajustes aplicados incorrectamente pueden conllevar a una configuraci\u00f3n de seguridad no deseada y pueden permitir una escalada de privilegios en determinadas configuraciones. La documentaci\u00f3n no aconseja contra el uso de definiciones de passdb que tengan la misma configuraci\u00f3n de driver y args. Una de estas configuraciones ser\u00eda cuando un administrador desea usar la misma configuraci\u00f3n PAM o archivo passwd para los usuarios normales y maestros, pero usa la configuraci\u00f3n username_filter para restringir cu\u00e1l de los usuarios puede ser un usuario maestro"
}
],
"id": "CVE-2022-30550",
"lastModified": "2024-11-21T07:02:55.463",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-07-17T19:15:18.540",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202310-19"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.dovecot.org/download/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2022/07/08/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202310-19"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.dovecot.org/download/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2022/07/08/1"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-12-09 16:36
Modified
2024-11-21 01:58
Severity ?
Summary
checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B7C0B4BC-A831-48F2-A862-C5E0A4855824",
"versionEndIncluding": "2.2.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "3DDF90CB-3787-4872-B292-CE12FB6D62EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AEE31582-7AE3-4131-BDE9-5654DE58FAF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "65102391-C9AF-4CA3-AC43-0C52A7A37363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "593DF083-5960-4BD5-AFC4-668B30E32E59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DCC5E56-D31E-45F0-B18B-D98C219DEBAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D969ED92-F429-4F67-8366-31A73CEE6A47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "8D4074C5-98E7-4A65-9413-17081FE12F0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "810788F1-D928-4190-94F9-944AF677C9BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "CD6739FA-5AFE-46E9-AFB6-147736A81A86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "4D486B62-AEB1-448E-88B9-267A1E1405A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "062E0A90-0C22-4E5F-8D12-B3A17EE87789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9DCBDC9-B290-4495-8D15-C0E9AD595291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E7574EAB-5E97-4906-9D7E-33654BFAEC6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "F575E273-7FF6-44A0-A217-7A7544ED8061",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "DE7ADB47-D8F4-427A-AFF3-F4001E87C0C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "F42D40FF-607A-4D80-B27C-A577C499436B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "BF9F42B2-56CF-42D7-A4FE-56EBC4A26D44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EDEF605E-34C6-4BFD-96B6-E03B8A8097C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "4212D5BB-51B9-4FFD-9649-3E16ED3E1ABE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5B7A4498-42A2-4CED-B7A9-F62548EA3EE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1:rc5:*:*:*:*:*:*",
"matchCriteriaId": "6111D270-096B-4047-B6B4-170420C24A58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1:rc6:*:*:*:*:*:*",
"matchCriteriaId": "7D9B53BA-4364-42A7-82E3-DC785789464A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1:rc7:*:*:*:*:*:*",
"matchCriteriaId": "E136870F-F5E9-4605-8186-3993309EEE24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F38C8E3A-8B54-4753-B13A-AE2E465FA5AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32D18EF9-AE3B-4D08-A3A9-46B5E87BB9BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C673DFC9-9792-464C-BD7C-4FE79E68B66B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "CD5BE130-02A4-4FE7-BF6B-758D8239BA51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "365A0662-7947-4D91-9D15-FB2DF13531A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "92929838-DBD2-475B-8FE8-D07C07946495",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "06CA0943-02FF-4CE7-A0F3-0EB25E8A12F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4A9EEAA5-7E8C-46FE-93B5-D029335BB9E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "AF7EACFF-3F1B-4C9A-AE3D-B98777F4C77A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "81B73116-B55E-414C-B600-026A91BFCC2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "60B1FD0E-9C89-49C0-B1F0-5D6252A12158",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.13:*:*:*:*:*:*:*",
"matchCriteriaId": "8A260A74-4F4C-470E-BDDC-2B4B7A08F5DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.14:*:*:*:*:*:*:*",
"matchCriteriaId": "8466B0AB-EA90-47DC-871C-95A738A5185A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.15:*:*:*:*:*:*:*",
"matchCriteriaId": "47022C47-9C2B-404C-834A-8703EF7F5B9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B11EF361-E553-402A-83EE-71D887FC9F69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7E47CA62-99F7-4906-B6F6-245A4B22AC99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc3:*:*:*:*:*:*",
"matchCriteriaId": "52F33ED8-9902-41B8-9189-462620FD62C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc4:*:*:*:*:*:*",
"matchCriteriaId": "6741622C-7CCB-4FB7-AF17-EE95C3311D78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc5:*:*:*:*:*:*",
"matchCriteriaId": "856E97CA-689D-409C-B8DF-AD95AA3CD7ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc6:*:*:*:*:*:*",
"matchCriteriaId": "89EF88D5-2FA2-4F97-BA26-9FD82D4CD37A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc7:*:*:*:*:*:*",
"matchCriteriaId": "AF73C3A2-C646-4D46-9975-B6FEDD262542",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9260A530-7A6D-4223-94B6-D3DCDF7FF331",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0BE31C92-74FA-460F-AACD-3983C1E78E02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "733F99E5-A9E9-4DCF-85C4-54E7F1014F16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FF19B9C8-C67B-47A5-8297-0EFCF4E63491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DC5200F5-66BE-4DB3-9BB8-68C403600045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "8685D3E7-4EAD-46B4-8607-F4CF6E7F11DB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server."
},
{
"lang": "es",
"value": "checkpassword-reply en Dovecot anteriores a 2.2.7 ejecuta operaciones setuid a usuarios que se est\u00e1n autenticando, lo cual permite a usuarios locales sortear la autenticaci\u00f3n y acceder a cuentas de email virtuales adjuntandose al proceso y utilizando un descriptor de fichero restringido para modificar informaci\u00f3n de la cuenta en la respuesta al servidor dovecot-auth."
}
],
"id": "CVE-2013-6171",
"lastModified": "2024-11-21T01:58:46.447",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-12-09T16:36:47.097",
"references": [
{
"source": "cve@mitre.org",
"url": "http://cpanel.net/tsr-2013-0010-full-disclosure/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/54808"
},
{
"source": "cve@mitre.org",
"url": "http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.dovecot.org/list/dovecot-news/2013-November/000264.html"
},
{
"source": "cve@mitre.org",
"url": "https://usn.ubuntu.com/3556-2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://cpanel.net/tsr-2013-0010-full-disclosure/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/54808"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.dovecot.org/list/dovecot-news/2013-November/000264.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://usn.ubuntu.com/3556-2/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-03-07 01:55
Modified
2024-11-21 01:32
Severity ?
Summary
Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | 2.0.0 | |
| dovecot | dovecot | 2.0.1 | |
| dovecot | dovecot | 2.0.2 | |
| dovecot | dovecot | 2.0.3 | |
| dovecot | dovecot | 2.0.4 | |
| dovecot | dovecot | 2.0.5 | |
| dovecot | dovecot | 2.0.6 | |
| dovecot | dovecot | 2.0.7 | |
| dovecot | dovecot | 2.0.8 | |
| dovecot | dovecot | 2.0.9 | |
| dovecot | dovecot | 2.0.10 | |
| dovecot | dovecot | 2.0.11 | |
| dovecot | dovecot | 2.0.12 | |
| dovecot | dovecot | 2.0.13 | |
| dovecot | dovecot | 2.0.14 | |
| dovecot | dovecot | 2.0.15 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AEE31582-7AE3-4131-BDE9-5654DE58FAF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "65102391-C9AF-4CA3-AC43-0C52A7A37363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "593DF083-5960-4BD5-AFC4-668B30E32E59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DCC5E56-D31E-45F0-B18B-D98C219DEBAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D969ED92-F429-4F67-8366-31A73CEE6A47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "8D4074C5-98E7-4A65-9413-17081FE12F0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "810788F1-D928-4190-94F9-944AF677C9BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "CD6739FA-5AFE-46E9-AFB6-147736A81A86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "4D486B62-AEB1-448E-88B9-267A1E1405A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "062E0A90-0C22-4E5F-8D12-B3A17EE87789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9DCBDC9-B290-4495-8D15-C0E9AD595291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E7574EAB-5E97-4906-9D7E-33654BFAEC6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "F575E273-7FF6-44A0-A217-7A7544ED8061",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "DE7ADB47-D8F4-427A-AFF3-F4001E87C0C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "F42D40FF-607A-4D80-B27C-A577C499436B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "BF9F42B2-56CF-42D7-A4FE-56EBC4A26D44",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname."
},
{
"lang": "es",
"value": "Dovecot v2.0.x antes de v2.0.16, cuando ssl o starttls est\u00e1 disponible y hostname se usa para definir la destinaci\u00f3n del proxy, que no verifica que el servidor hostname busca el nombre del dominio en el sujeto del Common Name (CN) del certificado X.509, que permite ataques man-in-the middle para burlar los servidores SSL a trav\u00e9s de un certificado para un hostname diferente."
}
],
"id": "CVE-2011-4318",
"lastModified": "2024-11-21T01:32:13.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-03-07T01:55:01.617",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://hg.dovecot.org/dovecot-2.0/rev/5e9eaf63a6b1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0520.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/46886"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/52311"
},
{
"source": "secalert@redhat.com",
"url": "http://www.dovecot.org/list/dovecot-news/2011-November/000200.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2011/11/18/5"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2011/11/18/7"
},
{
"source": "secalert@redhat.com",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=390887"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=754980"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://hg.dovecot.org/dovecot-2.0/rev/5e9eaf63a6b1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0520.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/46886"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/52311"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.dovecot.org/list/dovecot-news/2011-November/000200.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2011/11/18/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2011/11/18/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=390887"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=754980"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-08 17:29
Modified
2024-11-21 04:21
Severity ?
Summary
In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| fedoraproject | fedora | 29 | |
| fedoraproject | fedora | 30 | |
| opensuse | leap | 15.0 | |
| opensuse | leap | 15.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "865217D0-97A3-4F8B-B002-434C7B116B9E",
"versionEndIncluding": "2.3.5.2",
"versionStartIncluding": "2.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*",
"matchCriteriaId": "D100F7CE-FC64-4CC6-852A-6136D72DA419",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message."
},
{
"lang": "es",
"value": "En el servidor IMAP en Dovecot versi\u00f3n 2.3.3 hasta la versi\u00f3n 2.3.5.2, el componente de env\u00edo de inicio de sesi\u00f3n se bloquea si se intenta AUTH PLAIN sobre un canal seguro TLS con un mensaje de indentidadd no aceptado"
}
],
"id": "CVE-2019-11499",
"lastModified": "2024-11-21T04:21:12.640",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-08T17:29:00.223",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.dovecot.org/download.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dovecot.org/security.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.dovecot.org/download.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dovecot.org/security.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-11-01 00:00
Modified
2024-11-21 00:52
Severity ?
Summary
dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | 1.0.7 | |
| redhat | enterprise_linux | 5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4A349510-4D00-4978-93D9-3F9F5E0CD8DE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1D8B549B-E57B-4DFE-8A13-CAB06B5356B3",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value."
},
{
"lang": "es",
"value": "dovecot 1.0.7 en Red Hat Enterprise Linux (RHEL) 5 y posiblemente Fedora, utiliza permisos le\u00edbles por todo el mundo para dovecot.conf, lo que permite a usuarios locales obtener el valor del par\u00e1metro ssl_key_password."
}
],
"id": "CVE-2008-4870",
"lastModified": "2024-11-21T00:52:43.197",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-11-01T00:00:01.273",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/32164"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/33149"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/33624"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2008/10/29/10"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=436287"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46323"
},
{
"source": "cve@mitre.org",
"tags": [
"Tool Signature"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/32164"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/33149"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/33624"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2008/10/29/10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=436287"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46323"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Tool Signature"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-28 13:15
Modified
2024-11-21 05:22
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| fedoraproject | fedora | 33 | |
| fedoraproject | fedora | 34 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CE875870-7D70-4401-88CC-DF237054A78C",
"versionEndExcluding": "2.3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension."
},
{
"lang": "es",
"value": "El motor Sieve en Dovecot versiones anteriores a 2.3.15, permite un Consumo No controlado de Recursos, como es demostrado por una situaci\u00f3n con una expresi\u00f3n regular compleja para la extensi\u00f3n regex"
}
],
"id": "CVE-2020-28200",
"lastModified": "2024-11-21T05:22:28.117",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-28T13:15:12.357",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2021/06/28/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2021/06/28/3"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-12 16:15
Modified
2024-11-21 05:00
Severity ?
Summary
In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 20.04 | |
| fedoraproject | fedora | 31 | |
| fedoraproject | fedora | 32 | |
| fedoraproject | fedora | 33 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "346B659D-F8B1-43E5-A50E-2FC6ED1F6536",
"versionEndExcluding": "2.3.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read."
},
{
"lang": "es",
"value": "En Dovecot versiones anteriores a 2.3.11.3, el env\u00edo de una petici\u00f3n NTLM con formato especial bloquear\u00e1 el servicio auth debido a una lectura fuera de l\u00edmites"
}
],
"id": "CVE-2020-12673",
"lastModified": "2024-11-21T05:00:02.653",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-12T16:15:11.823",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202009-02"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4456-1/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4456-2/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4745"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2020/08/12/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202009-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4456-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4456-2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4745"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2020/08/12/2"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-125"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-12 16:15
Modified
2024-11-21 05:00
Severity ?
Summary
In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 20.04 | |
| fedoraproject | fedora | 31 | |
| fedoraproject | fedora | 32 | |
| fedoraproject | fedora | 33 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "346B659D-F8B1-43E5-A50E-2FC6ED1F6536",
"versionEndExcluding": "2.3.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled."
},
{
"lang": "es",
"value": "En Dovecot versiones anteriores a 2.3.11.3, el env\u00edo de una petici\u00f3n RPA con un formato especial bloquear\u00e1 el servicio auth porque una longitud de cero es manejada inapropiadamente"
}
],
"id": "CVE-2020-12674",
"lastModified": "2024-11-21T05:00:02.833",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-12T16:15:11.900",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202009-02"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4456-1/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4456-2/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4745"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2020/08/12/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202009-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4456-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4456-2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4745"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2020/08/12/3"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-125"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-06-21 13:29
Modified
2024-11-21 03:23
Severity ?
3.7 (Low) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| debian | debian_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D6A0F511-D72E-464A-BA7B-477C9CC0B479",
"versionEndIncluding": "2.2.28",
"versionStartIncluding": "2.2.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Dovecot before version 2.2.29 is vulnerable to a denial of service. When \u0027dict\u0027 passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang."
},
{
"lang": "es",
"value": "Dovecot en versiones anteriores a la 2.2.29 es vulnerable a una denegaci\u00f3n de servicio (DoS). Cuando se emplearon los \"dict\" passdb y userdb para la autenticaci\u00f3n de usuarios, el nombre de usuario enviado por el cliente IMAP/POP3 se envi\u00f3 mediante var_expand() para realizar la expansi\u00f3n de %variable. El env\u00edo de campos %variable especialmente manipulados podr\u00eda resultar en un uso excesivo de memoria que provoca que el proceso se cierre inesperadamente (y se reinicie) o en un uso excesivo de CPU que provoca que todas las autenticaciones dejen de responder."
}
],
"id": "CVE-2017-2669",
"lastModified": "2024-11-21T03:23:56.570",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-06-21T13:29:00.317",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2017/04/11/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97536"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2017-April/000341.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2017/dsa-3828"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2017/04/11/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97536"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2017-April/000341.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2017/dsa-3828"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-05-14 19:55
Modified
2024-11-21 02:08
Severity ?
Summary
Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8BE860F-A3C2-43E0-BC75-503C437DAADD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "9E6F249C-2793-46B5-A9E2-5EB3A62FF8E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4E57B06-8650-4374-B643-6FCBE3ABDAF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B0384E42-1506-4C08-AA5A-18B2A711C7F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F5DC1CE5-50B9-426E-B98A-224DC499AB15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "350A26D6-A8BA-4125-A640-264E08D28CB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "71057F4B-3040-4771-B989-9F3453934AAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1730EBB1-4071-4A23-B770-D564AF422273",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "10A27394-E1C7-4EF0-94C8-71D6EA33CE6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD2D1C99-0594-4378-AA6C-EC2E890E41FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "96F35305-79B4-49CD-A89F-A559CA9EEB33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EDC7E277-A5AE-4025-8412-E715D1C8C0F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0DBE1D51-B9D5-4E59-81F6-C6937DA78637",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "30B37ACE-64EA-49E7-B836-C3F05CAE0392",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1204F5C2-916D-4C27-A5C4-5B5E0AAA7322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A0C46C8A-EA49-4356-BA6B-8EC0F2E70B3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "96F54038-B17B-40C0-9C2E-20AF55E7602B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "BBB0B72A-1C7D-4F89-BE89-CD82F667CB76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "FEF89EB6-CBF5-48DF-8FDD-2C0AE0266B3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "41B2B3D8-EB69-4BD8-ACD5-CB6BFDE6B2FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E1A909DC-0D77-4690-87D2-51A7564B63B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2F767F-5D7F-40AC-BA57-4E819F486301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "68296C7C-B72C-46E7-A280-5E86E1470FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "72E1AF54-0446-49FB-A6B8-AF14833A3D0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.15:*:*:*:*:*:*:*",
"matchCriteriaId": "CCD9422B-D205-4ADD-BF43-08483C353A41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "3DDF90CB-3787-4872-B292-CE12FB6D62EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AEE31582-7AE3-4131-BDE9-5654DE58FAF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "65102391-C9AF-4CA3-AC43-0C52A7A37363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "593DF083-5960-4BD5-AFC4-668B30E32E59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DCC5E56-D31E-45F0-B18B-D98C219DEBAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D969ED92-F429-4F67-8366-31A73CEE6A47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "8D4074C5-98E7-4A65-9413-17081FE12F0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "810788F1-D928-4190-94F9-944AF677C9BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "CD6739FA-5AFE-46E9-AFB6-147736A81A86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "4D486B62-AEB1-448E-88B9-267A1E1405A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "062E0A90-0C22-4E5F-8D12-B3A17EE87789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9DCBDC9-B290-4495-8D15-C0E9AD595291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E7574EAB-5E97-4906-9D7E-33654BFAEC6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "F575E273-7FF6-44A0-A217-7A7544ED8061",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "DE7ADB47-D8F4-427A-AFF3-F4001E87C0C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "F42D40FF-607A-4D80-B27C-A577C499436B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "BF9F42B2-56CF-42D7-A4FE-56EBC4A26D44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "EDEF605E-34C6-4BFD-96B6-E03B8A8097C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "4212D5BB-51B9-4FFD-9649-3E16ED3E1ABE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "5B7A4498-42A2-4CED-B7A9-F62548EA3EE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1:rc5:*:*:*:*:*:*",
"matchCriteriaId": "6111D270-096B-4047-B6B4-170420C24A58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1:rc6:*:*:*:*:*:*",
"matchCriteriaId": "7D9B53BA-4364-42A7-82E3-DC785789464A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1:rc7:*:*:*:*:*:*",
"matchCriteriaId": "E136870F-F5E9-4605-8186-3993309EEE24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F38C8E3A-8B54-4753-B13A-AE2E465FA5AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32D18EF9-AE3B-4D08-A3A9-46B5E87BB9BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C673DFC9-9792-464C-BD7C-4FE79E68B66B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "CD5BE130-02A4-4FE7-BF6B-758D8239BA51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "365A0662-7947-4D91-9D15-FB2DF13531A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "92929838-DBD2-475B-8FE8-D07C07946495",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "06CA0943-02FF-4CE7-A0F3-0EB25E8A12F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4A9EEAA5-7E8C-46FE-93B5-D029335BB9E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "AC46D7F7-FEAF-4639-AA76-AA4A4A048053",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "AF7EACFF-3F1B-4C9A-AE3D-B98777F4C77A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "81B73116-B55E-414C-B600-026A91BFCC2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.12:*:*:*:*:*:*:*",
"matchCriteriaId": "60B1FD0E-9C89-49C0-B1F0-5D6252A12158",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.13:*:*:*:*:*:*:*",
"matchCriteriaId": "8A260A74-4F4C-470E-BDDC-2B4B7A08F5DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.14:*:*:*:*:*:*:*",
"matchCriteriaId": "8466B0AB-EA90-47DC-871C-95A738A5185A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.1.15:*:*:*:*:*:*:*",
"matchCriteriaId": "47022C47-9C2B-404C-834A-8703EF7F5B9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B11EF361-E553-402A-83EE-71D887FC9F69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7E47CA62-99F7-4906-B6F6-245A4B22AC99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc3:*:*:*:*:*:*",
"matchCriteriaId": "52F33ED8-9902-41B8-9189-462620FD62C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc4:*:*:*:*:*:*",
"matchCriteriaId": "6741622C-7CCB-4FB7-AF17-EE95C3311D78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc5:*:*:*:*:*:*",
"matchCriteriaId": "856E97CA-689D-409C-B8DF-AD95AA3CD7ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc6:*:*:*:*:*:*",
"matchCriteriaId": "89EF88D5-2FA2-4F97-BA26-9FD82D4CD37A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc7:*:*:*:*:*:*",
"matchCriteriaId": "AF73C3A2-C646-4D46-9975-B6FEDD262542",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9260A530-7A6D-4223-94B6-D3DCDF7FF331",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0BE31C92-74FA-460F-AACD-3983C1E78E02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "733F99E5-A9E9-4DCF-85C4-54E7F1014F16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FF19B9C8-C67B-47A5-8297-0EFCF4E63491",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DC5200F5-66BE-4DB3-9BB8-68C403600045",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "8685D3E7-4EAD-46B4-8607-F4CF6E7F11DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "5A79E75E-B49E-487A-AB3F-6326874B03B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "356215D0-E645-48E4-91D4-F44F60B169B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "02FD3A69-F9BE-4895-B648-0E70ABED3915",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "4881557F-C9A1-4952-81F0-79791A6A418F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "964826FB-B114-41D2-B690-2E8557906291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.13:rc1:*:*:*:*:*:*",
"matchCriteriaId": "55DA003F-8003-4284-86BA-CF2C3BAFA6C0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection."
},
{
"lang": "es",
"value": "Dovecot 1.1 anterior a 2.2.13 y dovecot-ee anterior a 2.1.7.7 y 2.2.x anterior a 2.2.12.12 no cierra debidamente conexiones antiguas, lo que permite a atacantes remotos causar una denegaci\u00f3n de servicio (consumo de recursos) a trav\u00e9s de una negociaci\u00f3n SSL/TLS incompleta para una conexi\u00f3n IMAP/POP3."
}
],
"id": "CVE-2014-3430",
"lastModified": "2024-11-21T02:08:04.843",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-05-14T19:55:13.077",
"references": [
{
"source": "cve@mitre.org",
"url": "http://advisories.mageia.org/MGASA-2014-0223.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://dovecot.org/pipermail/dovecot-news/2014-May/000273.html"
},
{
"source": "cve@mitre.org",
"url": "http://linux.oracle.com/errata/ELSA-2014-0790.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://permalink.gmane.org/gmane.mail.imap.dovecot/77499"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0790.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/59051"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/59537"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/59552"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2014/dsa-2954"
},
{
"source": "cve@mitre.org",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:113"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2014/05/09/4"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2014/05/09/8"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/67306"
},
{
"source": "cve@mitre.org",
"url": "http://www.ubuntu.com/usn/USN-2213-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://advisories.mageia.org/MGASA-2014-0223.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://dovecot.org/pipermail/dovecot-news/2014-May/000273.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://linux.oracle.com/errata/ELSA-2014-0790.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://permalink.gmane.org/gmane.mail.imap.dovecot/77499"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0790.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/59051"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/59537"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/59552"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2014/dsa-2954"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:113"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2014/05/09/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2014/05/09/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/67306"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-2213-1"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-10-06 17:00
Modified
2024-11-21 01:19
Severity ?
Summary
plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving the private namespace of a user, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | 1.2.0 | |
| dovecot | dovecot | 1.2.1 | |
| dovecot | dovecot | 1.2.2 | |
| dovecot | dovecot | 1.2.3 | |
| dovecot | dovecot | 1.2.4 | |
| dovecot | dovecot | 1.2.5 | |
| dovecot | dovecot | 1.2.6 | |
| dovecot | dovecot | 1.2.7 | |
| dovecot | dovecot | 1.2.8 | |
| dovecot | dovecot | 1.2.9 | |
| dovecot | dovecot | 1.2.10 | |
| dovecot | dovecot | 1.2.11 | |
| dovecot | dovecot | 1.2.12 | |
| dovecot | dovecot | 1.2.13 | |
| dovecot | dovecot | 1.2.14 | |
| dovecot | dovecot | 2.0.0 | |
| dovecot | dovecot | 2.0.1 | |
| dovecot | dovecot | 2.0.2 | |
| dovecot | dovecot | 2.0.3 | |
| dovecot | dovecot | 2.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD2D1C99-0594-4378-AA6C-EC2E890E41FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "96F35305-79B4-49CD-A89F-A559CA9EEB33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EDC7E277-A5AE-4025-8412-E715D1C8C0F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0DBE1D51-B9D5-4E59-81F6-C6937DA78637",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "30B37ACE-64EA-49E7-B836-C3F05CAE0392",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1204F5C2-916D-4C27-A5C4-5B5E0AAA7322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A0C46C8A-EA49-4356-BA6B-8EC0F2E70B3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "96F54038-B17B-40C0-9C2E-20AF55E7602B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "BBB0B72A-1C7D-4F89-BE89-CD82F667CB76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "FEF89EB6-CBF5-48DF-8FDD-2C0AE0266B3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "41B2B3D8-EB69-4BD8-ACD5-CB6BFDE6B2FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E1A909DC-0D77-4690-87D2-51A7564B63B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2F767F-5D7F-40AC-BA57-4E819F486301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "68296C7C-B72C-46E7-A280-5E86E1470FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "72E1AF54-0446-49FB-A6B8-AF14833A3D0C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AEE31582-7AE3-4131-BDE9-5654DE58FAF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "65102391-C9AF-4CA3-AC43-0C52A7A37363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "593DF083-5960-4BD5-AFC4-668B30E32E59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DCC5E56-D31E-45F0-B18B-D98C219DEBAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D969ED92-F429-4F67-8366-31A73CEE6A47",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving the private namespace of a user, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox."
},
{
"lang": "es",
"value": "plugins/acl/acl-backend-vfile.c en Dovecot v1.2.x anterior a v1.2.15 y v2.0.x anterior a v2.0.5 interpreta una entrada ACL como una directiva a a\u00f1adir a los permisos asignados por otra entrada ACL, en lugar de una directiva para reemplazar los permisos asignados por otra entrada ACL. En ciertas circunstancias involucrando espacios de nombres privados de un usuario, lo que permite a usuarios autenticados remotamente evitar restricciones de acceso intencionadas a trav\u00e9s de peticiones para leer o modificar un buz\u00f3n de correo"
}
],
"id": "CVE-2010-3706",
"lastModified": "2024-11-21T01:19:26.140",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-10-06T17:00:17.360",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=oss-security\u0026m=128620520732377\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=oss-security\u0026m=128622064325688\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/43220"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053451.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.dovecot.org/list/dovecot/2010-October/053452.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/2572"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2010/2840"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2011/0301"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=oss-security\u0026m=128620520732377\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=oss-security\u0026m=128622064325688\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/43220"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053451.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.dovecot.org/list/dovecot/2010-October/053452.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/2572"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2010/2840"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2011/0301"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-05-24 23:55
Modified
2024-11-21 01:27
Severity ?
Summary
script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | 2.0.0 | |
| dovecot | dovecot | 2.0.1 | |
| dovecot | dovecot | 2.0.2 | |
| dovecot | dovecot | 2.0.3 | |
| dovecot | dovecot | 2.0.4 | |
| dovecot | dovecot | 2.0.5 | |
| dovecot | dovecot | 2.0.6 | |
| dovecot | dovecot | 2.0.7 | |
| dovecot | dovecot | 2.0.8 | |
| dovecot | dovecot | 2.0.9 | |
| dovecot | dovecot | 2.0.10 | |
| dovecot | dovecot | 2.0.11 | |
| dovecot | dovecot | 2.0.12 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AEE31582-7AE3-4131-BDE9-5654DE58FAF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "65102391-C9AF-4CA3-AC43-0C52A7A37363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "593DF083-5960-4BD5-AFC4-668B30E32E59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DCC5E56-D31E-45F0-B18B-D98C219DEBAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D969ED92-F429-4F67-8366-31A73CEE6A47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "8D4074C5-98E7-4A65-9413-17081FE12F0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "810788F1-D928-4190-94F9-944AF677C9BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "CD6739FA-5AFE-46E9-AFB6-147736A81A86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "4D486B62-AEB1-448E-88B9-267A1E1405A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "062E0A90-0C22-4E5F-8D12-B3A17EE87789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9DCBDC9-B290-4495-8D15-C0E9AD595291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E7574EAB-5E97-4906-9D7E-33654BFAEC6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "F575E273-7FF6-44A0-A217-7A7544ED8061",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script."
},
{
"lang": "es",
"value": "La secuencia de comandos de inicio de sesi\u00f3n en Dovecot v2.0.x antes de v2.0.13 no sigue la configuraci\u00f3n del usuario y grupo, lo que podr\u00eda permitir a usuarios remotos autenticados eludir las restricciones de acceso destinados al aprovechar una secuencia de comandos."
}
],
"id": "CVE-2011-2166",
"lastModified": "2024-11-21T01:27:44.050",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-05-24T23:55:04.433",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://dovecot.org/pipermail/dovecot/2011-May/059085.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2011/05/18/4"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0520.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/52311"
},
{
"source": "cve@mitre.org",
"url": "http://www.dovecot.org/doc/NEWS-2.0"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/48003"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67675"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://dovecot.org/pipermail/dovecot/2011-May/059085.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2011/05/18/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0520.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/52311"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.dovecot.org/doc/NEWS-2.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/48003"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67675"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-16"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-05 22:15
Modified
2024-11-21 02:53
Severity ?
Summary
A postinstall script in the dovecot rpm allows local users to read the contents of newly created SSL/TLS key files.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://lists.opensuse.org/opensuse-updates/2016-11/msg00096.html | Mailing List, Third Party Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1346055 | Exploit, Issue Tracking, Third Party Advisory | |
| secalert@redhat.com | https://bugzilla.suse.com/show_bug.cgi?id=984639 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.opensuse.org/opensuse-updates/2016-11/msg00096.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1346055 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.suse.com/show_bug.cgi?id=984639 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | - | |
| opensuse | leap | 42.1 | |
| opensuse | leap | 42.2 | |
| opensuse | opensuse | 13.2 | |
| redhat | enterprise_linux | 4.0 | |
| redhat | enterprise_linux | 5.0 | |
| redhat | enterprise_linux | 6.0 | |
| redhat | enterprise_linux | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:-:*:*:*:*:*:*:*",
"matchCriteriaId": "EF3FB8FC-B881-4E4C-995D-8AA3C347FA0B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4863BE36-D16A-4D75-90D9-FD76DB5B48B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:42.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1EA337A3-B9A3-4962-B8BD-8E0C7C5B28EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6172AF57-B26D-45F8-BE3A-F75ABDF28F49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1D8B549B-E57B-4DFE-8A13-CAB06B5356B3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A postinstall script in the dovecot rpm allows local users to read the contents of newly created SSL/TLS key files."
},
{
"lang": "es",
"value": "Un script postinstall en el dovecot rpm, permite a usuarios locales leer el contenido de los archivos de clave SSL/TLS recientemente creados."
}
],
"id": "CVE-2016-4983",
"lastModified": "2024-11-21T02:53:21.710",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-05T22:15:10.923",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-11/msg00096.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1346055"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=984639"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-11/msg00096.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1346055"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=984639"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-02-17 02:59
Modified
2024-11-21 02:59
Severity ?
Summary
The auth component in Dovecot before 2.2.27, when auth-policy is configured, allows a remote attackers to cause a denial of service (crash) by aborting authentication without setting a username.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://dovecot.org/pipermail/dovecot-news/2016-December/000333.html | Release Notes, Vendor Advisory | |
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2016/12/02/4 | Mailing List, Third Party Advisory | |
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2016/12/05/12 | Mailing List, Third Party Advisory | |
| secalert@redhat.com | http://www.securityfocus.com/bid/94639 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://dovecot.org/pipermail/dovecot-news/2016-December/000333.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/12/02/4 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/12/05/12 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94639 | Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF2F0687-214B-47D5-BA1A-439CF981620F",
"versionEndIncluding": "2.2.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The auth component in Dovecot before 2.2.27, when auth-policy is configured, allows a remote attackers to cause a denial of service (crash) by aborting authentication without setting a username."
},
{
"lang": "es",
"value": "El componente de autenticaci\u00f3n en Dovecot en versiones anteriores a 2.2.27, cuando la pol\u00edtica de autenticaci\u00f3n es configurada, permite a atacantes remotos provocar una denegaci\u00f3n de servicio (ca\u00edda) abortando la autenticaci\u00f3n sin establecer un nombre de usuario."
}
],
"id": "CVE-2016-8652",
"lastModified": "2024-11-21T02:59:46.147",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-02-17T02:59:13.547",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://dovecot.org/pipermail/dovecot-news/2016-December/000333.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/12/02/4"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/12/05/12"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94639"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://dovecot.org/pipermail/dovecot-news/2016-December/000333.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/12/02/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/12/05/12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94639"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-05-18 15:15
Modified
2024-11-21 04:56
Severity ?
Summary
In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8B753CF9-8EB3-4925-9772-F6044915C907",
"versionEndExcluding": "2.3.10.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart."
},
{
"lang": "es",
"value": "En Dovecot versiones anteriores a 2.3.10.1, los atacantes remotos no autenticados pueden bloquear el proceso lmtp o submission mediante el env\u00edo de un correo con un localpart vac\u00edo."
}
],
"id": "CVE-2020-10967",
"lastModified": "2024-11-21T04:56:28.360",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-18T15:15:10.817",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html"
},
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2020/May/37"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"source": "cve@mitre.org",
"url": "https://usn.ubuntu.com/4361-1/"
},
{
"source": "cve@mitre.org",
"url": "https://www.debian.org/security/2020/dsa-4690"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2020/May/37"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://usn.ubuntu.com/4361-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2020/dsa-4690"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2020/05/18/1"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-03-28 14:29
Modified
2024-11-21 04:48
Severity ?
8.8 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.8 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| dovecot | dovecot | * | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 18.10 | |
| opensuse | leap | 15.0 | |
| opensuse | leap | 42.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7608066A-7434-4CF8-B09F-16C88E68EFE0",
"versionEndExcluding": "2.2.36.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4F754023-BB5F-40EB-9E76-032494F7EF20",
"versionEndExcluding": "2.3.5.1",
"versionStartIncluding": "2.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*",
"matchCriteriaId": "07C312A0-CD2C-4B9C-B064-6409B25C278F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5F65DAB0-3DAD-49FF-BC73-3581CC3D5BF3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components."
},
{
"lang": "es",
"value": "En Dovecot, en versiones anteriores a la 2.2.36.3 y en las 2.3.x anteriores a la 2.3.5.1, un atacante local puede provocar un desbordamiento de b\u00fafer en el proceso \"indexer-worker\", que se podr\u00eda utilizar para elevar a root. Esto ocurre debido a la falta de comprobaciones en los componentes fts y pop3-uidl."
}
],
"id": "CVE-2019-7524",
"lastModified": "2024-11-21T04:48:16.917",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.0,
"impactScore": 6.0,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-03-28T14:29:00.417",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00060.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/28/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107672"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/list/dovecot-news/2019-March/000403.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00038.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/bugtraq/2019/Mar/59"
},
{
"source": "cve@mitre.org",
"url": "https://security.gentoo.org/glsa/201904-19"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3928-1/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2019/dsa-4418"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00060.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/28/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107672"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/list/dovecot-news/2019-March/000403.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00038.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/bugtraq/2019/Mar/59"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/201904-19"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3928-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2019/dsa-4418"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-04 17:15
Modified
2024-11-21 05:14
Severity ?
Summary
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| debian | debian_linux | 10.0 | |
| fedoraproject | fedora | 32 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1E8AA2ED-9604-4BC7-8A46-E772A6F1D595",
"versionEndExcluding": "2.3.13",
"versionStartIncluding": "2.2.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users\u0027 email messages (and path disclosure)."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Dovecot versiones anteriores a 2.3.13.\u0026#xa0;Al usar IMAP IDLE, un atacante autenticado puede desencadenar la inhibici\u00f3n por medio de par\u00e1metros controlados por el atacante, conllevando a un acceso a los mensajes de correo electr\u00f3nico de otros usuarios (y a una divulgaci\u00f3n de ruta)."
}
],
"id": "CVE-2020-24386",
"lastModified": "2024-11-21T05:14:43.127",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-04T17:15:13.867",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/160842/Dovecot-2.3.11.3-Access-Bypass.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Jan/18"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/4"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://doc.dovecot.org/configuration_manual/hibernation/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202101-01"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4825"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/160842/Dovecot-2.3.11.3-Access-Bypass.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Jan/18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://doc.dovecot.org/configuration_manual/hibernation/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202101-01"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4825"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-05-24 23:55
Modified
2024-11-21 01:27
Severity ?
Summary
lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle '\0' characters in header names, which allows remote attackers to cause a denial of service (daemon crash or mailbox corruption) via a crafted e-mail message.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | 1.2.0 | |
| dovecot | dovecot | 1.2.1 | |
| dovecot | dovecot | 1.2.2 | |
| dovecot | dovecot | 1.2.3 | |
| dovecot | dovecot | 1.2.4 | |
| dovecot | dovecot | 1.2.5 | |
| dovecot | dovecot | 1.2.6 | |
| dovecot | dovecot | 1.2.7 | |
| dovecot | dovecot | 1.2.8 | |
| dovecot | dovecot | 1.2.9 | |
| dovecot | dovecot | 1.2.10 | |
| dovecot | dovecot | 1.2.11 | |
| dovecot | dovecot | 1.2.12 | |
| dovecot | dovecot | 1.2.13 | |
| dovecot | dovecot | 1.2.14 | |
| dovecot | dovecot | 1.2.15 | |
| dovecot | dovecot | 1.2.16 | |
| dovecot | dovecot | 2.0 | |
| dovecot | dovecot | 2.0.0 | |
| dovecot | dovecot | 2.0.1 | |
| dovecot | dovecot | 2.0.2 | |
| dovecot | dovecot | 2.0.3 | |
| dovecot | dovecot | 2.0.4 | |
| dovecot | dovecot | 2.0.5 | |
| dovecot | dovecot | 2.0.6 | |
| dovecot | dovecot | 2.0.7 | |
| dovecot | dovecot | 2.0.8 | |
| dovecot | dovecot | 2.0.9 | |
| dovecot | dovecot | 2.0.10 | |
| dovecot | dovecot | 2.0.11 | |
| dovecot | dovecot | 2.0.12 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD2D1C99-0594-4378-AA6C-EC2E890E41FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "96F35305-79B4-49CD-A89F-A559CA9EEB33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EDC7E277-A5AE-4025-8412-E715D1C8C0F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0DBE1D51-B9D5-4E59-81F6-C6937DA78637",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "30B37ACE-64EA-49E7-B836-C3F05CAE0392",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1204F5C2-916D-4C27-A5C4-5B5E0AAA7322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A0C46C8A-EA49-4356-BA6B-8EC0F2E70B3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "96F54038-B17B-40C0-9C2E-20AF55E7602B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "BBB0B72A-1C7D-4F89-BE89-CD82F667CB76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "FEF89EB6-CBF5-48DF-8FDD-2C0AE0266B3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "41B2B3D8-EB69-4BD8-ACD5-CB6BFDE6B2FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E1A909DC-0D77-4690-87D2-51A7564B63B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2F767F-5D7F-40AC-BA57-4E819F486301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "68296C7C-B72C-46E7-A280-5E86E1470FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "72E1AF54-0446-49FB-A6B8-AF14833A3D0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.15:*:*:*:*:*:*:*",
"matchCriteriaId": "CCD9422B-D205-4ADD-BF43-08483C353A41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0E15A372-9DEA-45F5-A8BC-E73C5CEA64DC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "3DDF90CB-3787-4872-B292-CE12FB6D62EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AEE31582-7AE3-4131-BDE9-5654DE58FAF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "65102391-C9AF-4CA3-AC43-0C52A7A37363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "593DF083-5960-4BD5-AFC4-668B30E32E59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DCC5E56-D31E-45F0-B18B-D98C219DEBAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D969ED92-F429-4F67-8366-31A73CEE6A47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "8D4074C5-98E7-4A65-9413-17081FE12F0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "810788F1-D928-4190-94F9-944AF677C9BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "CD6739FA-5AFE-46E9-AFB6-147736A81A86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "4D486B62-AEB1-448E-88B9-267A1E1405A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "062E0A90-0C22-4E5F-8D12-B3A17EE87789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9DCBDC9-B290-4495-8D15-C0E9AD595291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E7574EAB-5E97-4906-9D7E-33654BFAEC6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "F575E273-7FF6-44A0-A217-7A7544ED8061",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle \u0027\\0\u0027 characters in header names, which allows remote attackers to cause a denial of service (daemon crash or mailbox corruption) via a crafted e-mail message."
},
{
"lang": "es",
"value": "lib-mail/message-header-parser.c en Dovecot v1.2.x antes de v1.2.17 y v2.0.x antes de v2.0.13 no controla correctamente los caracteres \u0027\\ 0 \u0027 en los nombres de cabecera, lo que permite a atacantes remotos provocar una denegaci\u00f3n de servicio (ca\u00edda del demonio o la corrupci\u00f3n de buz\u00f3n) a trav\u00e9s de un mensaje de e-mail manipulado."
}
],
"id": "CVE-2011-1929",
"lastModified": "2024-11-21T01:27:19.797",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-05-24T23:55:04.387",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://dovecot.org/pipermail/dovecot/2011-May/059085.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://dovecot.org/pipermail/dovecot/2011-May/059086.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://hg.dovecot.org/dovecot-1.1/rev/3698dfe0f21c"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061384.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060815.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060825.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2011/05/18/4"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/3"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/6"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/72495"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/44683"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/44712"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/44756"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/44771"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/44827"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2011/dsa-2252"
},
{
"source": "secalert@redhat.com",
"url": "http://www.dovecot.org/doc/NEWS-1.2"
},
{
"source": "secalert@redhat.com",
"url": "http://www.dovecot.org/doc/NEWS-2.0"
},
{
"source": "secalert@redhat.com",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:101"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2011-1187.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/47930"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-1143-1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=706286"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67589"
},
{
"source": "secalert@redhat.com",
"url": "https://hermes.opensuse.org/messages/8581790"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://dovecot.org/pipermail/dovecot/2011-May/059085.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://dovecot.org/pipermail/dovecot/2011-May/059086.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://hg.dovecot.org/dovecot-1.1/rev/3698dfe0f21c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061384.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060815.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060825.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2011/05/18/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2011/05/19/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/72495"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/44683"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/44712"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/44756"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/44771"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/44827"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2011/dsa-2252"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.dovecot.org/doc/NEWS-1.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.dovecot.org/doc/NEWS-2.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:101"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2011-1187.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/47930"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-1143-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=706286"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67589"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://hermes.opensuse.org/messages/8581790"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-04-25 15:19
Modified
2024-11-21 00:30
Severity ?
Summary
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | 1.0.beta1 | |
| dovecot | dovecot | 1.0.beta2 | |
| dovecot | dovecot | 1.0.beta3 | |
| dovecot | dovecot | 1.0.beta4 | |
| dovecot | dovecot | 1.0.beta5 | |
| dovecot | dovecot | 1.0.beta6 | |
| dovecot | dovecot | 1.0.beta7 | |
| dovecot | dovecot | 1.0.beta8 | |
| dovecot | dovecot | 1.0.beta9 | |
| dovecot | dovecot | 1.0.rc1 | |
| dovecot | dovecot | 1.0.rc2 | |
| dovecot | dovecot | 1.0.rc3 | |
| dovecot | dovecot | 1.0.rc4 | |
| dovecot | dovecot | 1.0.rc5 | |
| dovecot | dovecot | 1.0.rc6 | |
| dovecot | dovecot | 1.0.rc7 | |
| dovecot | dovecot | 1.0.rc8 | |
| dovecot | dovecot | 1.0.rc9 | |
| dovecot | dovecot | 1.0.rc10 | |
| dovecot | dovecot | 1.0.rc11 | |
| dovecot | dovecot | 1.0.rc12 | |
| dovecot | dovecot | 1.0.rc13 | |
| dovecot | dovecot | 1.0.rc14 | |
| dovecot | dovecot | 1.0.rc15 | |
| dovecot | dovecot | 1.0.rc16 | |
| dovecot | dovecot | 1.0.rc17 | |
| dovecot | dovecot | 1.0.rc18 | |
| dovecot | dovecot | 1.0.rc19 | |
| dovecot | dovecot | 1.0.rc20 | |
| dovecot | dovecot | 1.0.rc21 | |
| dovecot | dovecot | 1.0.rc22 | |
| dovecot | dovecot | 1.0.rc23 | |
| dovecot | dovecot | 1.0.rc24 | |
| dovecot | dovecot | 1.0.rc25 | |
| dovecot | dovecot | 1.0.rc26 | |
| dovecot | dovecot | 1.0.rc27 | |
| dovecot | dovecot | 1.0.rc28 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta1:*:*:*:*:*:*:*",
"matchCriteriaId": "C9FBEF6C-4A09-4661-BED0-8B5BC8BAF1AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta2:*:*:*:*:*:*:*",
"matchCriteriaId": "9D680474-C329-4DD0-B4EA-2406E27EC474",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta3:*:*:*:*:*:*:*",
"matchCriteriaId": "165A0D0B-C6B0-431F-BF36-223A27CD6A42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta4:*:*:*:*:*:*:*",
"matchCriteriaId": "92FB54D3-F856-4027-8AAF-6B05AE17D520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta5:*:*:*:*:*:*:*",
"matchCriteriaId": "34759794-747B-4770-8DB5-4E07AA8A15AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta6:*:*:*:*:*:*:*",
"matchCriteriaId": "8D5AF2A0-3289-47FA-B8DB-D5E28504F012",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta7:*:*:*:*:*:*:*",
"matchCriteriaId": "99268D48-CF82-450B-A033-D87AF4109531",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta8:*:*:*:*:*:*:*",
"matchCriteriaId": "B2E09737-8107-45C0-BFF1-FB4CF81564CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta9:*:*:*:*:*:*:*",
"matchCriteriaId": "280BE28D-B8A8-4E76-BC96-DB756C00B994",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc1:*:*:*:*:*:*:*",
"matchCriteriaId": "91E74D81-DF10-423A-8549-3BB5ED02B5A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc2:*:*:*:*:*:*:*",
"matchCriteriaId": "07D6853E-7E81-443D-8806-C8469217F55C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc3:*:*:*:*:*:*:*",
"matchCriteriaId": "D1BE4B6A-47A2-457B-B6B8-8FE5C2026A11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc4:*:*:*:*:*:*:*",
"matchCriteriaId": "7382F655-9B27-443D-9397-346FBEADEFDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc5:*:*:*:*:*:*:*",
"matchCriteriaId": "6F180045-A0DA-40A3-AD3E-F3402FB6456A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc6:*:*:*:*:*:*:*",
"matchCriteriaId": "C1A2FFE7-D008-47B4-80E7-AEC176918E06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc7:*:*:*:*:*:*:*",
"matchCriteriaId": "8C840337-7B31-476B-BBCD-65F4899925E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc8:*:*:*:*:*:*:*",
"matchCriteriaId": "545EF2F5-9BAE-4612-9958-70A5413818A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc9:*:*:*:*:*:*:*",
"matchCriteriaId": "E80096F8-46D9-42E3-8CDB-99ADA2CBD970",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc10:*:*:*:*:*:*:*",
"matchCriteriaId": "9E504866-3429-4A4C-8278-5C2753D356C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc11:*:*:*:*:*:*:*",
"matchCriteriaId": "30857130-636F-4719-9F1E-8F6369F40DAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc12:*:*:*:*:*:*:*",
"matchCriteriaId": "9843D7CE-4723-4200-AFD4-5B31545A287E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc13:*:*:*:*:*:*:*",
"matchCriteriaId": "54AF1D92-D89B-4DE4-9D47-72466873A4C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc14:*:*:*:*:*:*:*",
"matchCriteriaId": "64A8FCA5-1666-48F7-9689-37D9315813F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc15:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D517F3-F0A8-4362-89B9-0ED63515283F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc16:*:*:*:*:*:*:*",
"matchCriteriaId": "23883A94-559B-4655-82D4-F09868235771",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc17:*:*:*:*:*:*:*",
"matchCriteriaId": "520B52BF-FD23-429D-BAA4-E08DB84C82F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc18:*:*:*:*:*:*:*",
"matchCriteriaId": "0B7948AB-2061-4ADB-A01C-3CE8B47CCD19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc19:*:*:*:*:*:*:*",
"matchCriteriaId": "C24F6BFB-AA8C-441A-9026-809183D0350E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc20:*:*:*:*:*:*:*",
"matchCriteriaId": "C22A513A-A94A-4BC4-B5B7-3CCA166C9874",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc21:*:*:*:*:*:*:*",
"matchCriteriaId": "65038654-6B35-4502-BD74-F9F0954C5EF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc22:*:*:*:*:*:*:*",
"matchCriteriaId": "4307AA80-C0AC-4193-8353-D746DBF52FD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc23:*:*:*:*:*:*:*",
"matchCriteriaId": "0E95BAF5-FC78-4286-B6BD-464E9F08CF9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc24:*:*:*:*:*:*:*",
"matchCriteriaId": "0C6AA8FD-3692-4069-8980-9544044B8CE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc25:*:*:*:*:*:*:*",
"matchCriteriaId": "F22AADE9-D37D-439B-B934-8DA01A29BB87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc26:*:*:*:*:*:*:*",
"matchCriteriaId": "4ECCD893-A5EE-4696-80AA-FD9092548BDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc27:*:*:*:*:*:*:*",
"matchCriteriaId": "0B960D71-04E5-45F7-8DC2-45C341673FB5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc28:*:*:*:*:*:*:*",
"matchCriteriaId": "658E275E-8C2C-46EE-850A-14ADBD097E0F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name."
},
{
"lang": "es",
"value": "Vulnerabilidad de escalado de directorio en index/mbox/mbox-storage.c de Dovecot versiones anteriores a 1.0.rc29, cuando se usa la extensi\u00f3n (plugin) zlib, permite a atacantes remotos leer buzones de correo (mbox files) comprimidos con gzip (.gz) de su elecci\u00f3n mediante una secuencia .. (punto punto) en el nombre del buz\u00f3n."
}
],
"id": "CVE-2007-2231",
"lastModified": "2024-11-21T00:30:15.047",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-04-25T15:19:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://dovecot.org/doc/NEWS"
},
{
"source": "cve@mitre.org",
"url": "http://dovecot.org/list/dovecot-cvs/2007-March/008488.html"
},
{
"source": "cve@mitre.org",
"url": "http://dovecot.org/list/dovecot-news/2007-March/000038.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/25072"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/30342"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2007/dsa-1359"
},
{
"source": "cve@mitre.org",
"url": "http://www.novell.com/linux/security/advisories/2007_8_sr.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/466168/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/23552"
},
{
"source": "cve@mitre.org",
"url": "http://www.ubuntu.com/usn/usn-487-1"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2007/1452"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34082"
},
{
"source": "cve@mitre.org",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://dovecot.org/doc/NEWS"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://dovecot.org/list/dovecot-cvs/2007-March/008488.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://dovecot.org/list/dovecot-news/2007-March/000038.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/25072"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30342"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2007/dsa-1359"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.novell.com/linux/security/advisories/2007_8_sr.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/466168/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/23552"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/usn-487-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/1452"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34082"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995"
}
],
"sourceIdentifier": "cve@mitre.org",
"vendorComments": [
{
"comment": "This issue did not affect Red Hat Enterprise Linux prior to version 5. An update to Red Hat Enterprise Linux 5 was released to correct this issue:\nhttps://rhn.redhat.com/errata/RHSA-2008-0297.html",
"lastModified": "2008-05-21T00:00:00",
"organization": "Red Hat"
}
],
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-09-17 10:30
Modified
2024-11-21 01:06
Severity ?
Summary
Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SIEVE script, as demonstrated by forwarding an e-mail message to a large number of recipients, a different vulnerability than CVE-2009-2632.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4240BD98-3C31-42CE-AF8F-045DD4BFC084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4D7A4A82-6C8D-453E-ACC5-2C8BAC7804D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1C05ACA0-ED87-4DDF-94B6-8D25BE1790F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8A8C0C4A-F9DB-4BB7-BFC5-BEC22C3FE40B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8BE860F-A3C2-43E0-BC75-503C437DAADD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4E57B06-8650-4374-B643-6FCBE3ABDAF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B0384E42-1506-4C08-AA5A-18B2A711C7F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F5DC1CE5-50B9-426E-B98A-224DC499AB15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "350A26D6-A8BA-4125-A640-264E08D28CB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "71057F4B-3040-4771-B989-9F3453934AAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1730EBB1-4071-4A23-B770-D564AF422273",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "10A27394-E1C7-4EF0-94C8-71D6EA33CE6D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SIEVE script, as demonstrated by forwarding an e-mail message to a large number of recipients, a different vulnerability than CVE-2009-2632."
},
{
"lang": "es",
"value": "M\u00faltiples desbordamientos de b\u00fafer basados en pila en el complemento -plugin- Sieve de Dovecot v1.0 anterior a v1.0.4 y v1.1 anterior a v1.1.7, como se deriva de Cyrus libsieve, permiten a atacantes dependientes del contexto provocar una denegaci\u00f3n de servicio (ca\u00edda) y puede que ejecutar c\u00f3digo de su elecci\u00f3n a trav\u00e9s de una secuencia de comandos SIEVE, como se ha demostrado reenviando un mensaje de correo a un gran n\u00famero de usuarios. Se trata de una vulnerabilidad diferente de CVE-2009-2632."
}
],
"id": "CVE-2009-3235",
"lastModified": "2024-11-21T01:06:51.633",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-09-17T10:30:01.327",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://dovecot.org/list/dovecot-news/2009-September/000135.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36698"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36713"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/36904"
},
{
"source": "cve@mitre.org",
"url": "http://support.apple.com/kb/HT3937"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2009/09/14/3"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/58103"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/36377"
},
{
"source": "cve@mitre.org",
"url": "http://www.ubuntu.com/usn/USN-838-1"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2641"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2009/3184"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53248"
},
{
"source": "cve@mitre.org",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10515"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00491.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://dovecot.org/list/dovecot-news/2009-September/000135.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36698"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36713"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/36904"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT3937"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2009/09/14/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/58103"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/36377"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-838-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/2641"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/3184"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53248"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10515"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00491.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-03-27 13:29
Modified
2024-11-21 04:42
Severity ?
7.7 (High) - CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
6.8 (Medium) - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
6.8 (Medium) - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| dovecot | dovecot | * | |
| canonical | ubuntu_linux | 12.04 | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 18.10 | |
| opensuse | leap | 42.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B7EC4FD5-8BCE-4412-B8F6-53F4DD0D6CE7",
"versionEndExcluding": "2.2.36.1",
"versionStartIncluding": "1.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4C44A57B-1823-40EE-A24F-44144C505859",
"versionEndExcluding": "2.3.4.1",
"versionStartIncluding": "2.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "8D305F7A-D159-4716-AB26-5E38BB5CD991",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*",
"matchCriteriaId": "07C312A0-CD2C-4B9C-B064-6409B25C278F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5F65DAB0-3DAD-49FF-BC73-3581CC3D5BF3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users."
},
{
"lang": "es",
"value": "Se ha descubierto que Dovecot, en versiones anteriores a la 2.2.36.1 y 2.3.4.1, gestiona de manera incorrecta los certificados del cliente. Un atacante remoto en posesi\u00f3n de un certificado v\u00e1lido con un campo \"username\" vac\u00edo podr\u00eda emplear este problema para suplantar a otros usuarios."
}
],
"id": "CVE-2019-3814",
"lastModified": "2024-11-21T04:42:35.823",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.3,
"impactScore": 5.8,
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-03-27T13:29:01.337",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2019:3467"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Release Notes",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"source": "secalert@redhat.com",
"url": "https://security.gentoo.org/glsa/201904-19"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Mailing List",
"Vendor Advisory"
],
"url": "https://www.dovecot.org/list/dovecot/2019-February/114575.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2019:3467"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Release Notes",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/201904-19"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Vendor Advisory"
],
"url": "https://www.dovecot.org/list/dovecot/2019-February/114575.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-08 18:29
Modified
2024-11-21 04:21
Severity ?
Summary
In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| fedoraproject | fedora | 29 | |
| fedoraproject | fedora | 30 | |
| opensuse | leap | 15.0 | |
| opensuse | leap | 15.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "865217D0-97A3-4F8B-B002-434C7B116B9E",
"versionEndIncluding": "2.3.5.2",
"versionStartIncluding": "2.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*",
"matchCriteriaId": "D100F7CE-FC64-4CC6-852A-6136D72DA419",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command."
},
{
"lang": "es",
"value": "En el servidor IMAP en Dovecot 2.3.3 a 2.3.5.2, el servicio de submission-login se bloquea cuando el cliente se desconecta prematuramente durante el comando AUTH."
}
],
"id": "CVE-2019-11494",
"lastModified": "2024-11-21T04:21:11.897",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-08T18:29:00.657",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.dovecot.org/download.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dovecot.org/security.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.dovecot.org/download.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dovecot.org/security.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-476"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-10-06 21:00
Modified
2024-11-21 01:19
Severity ?
Summary
Dovecot 1.2.x before 1.2.15 allows remote authenticated users to cause a denial of service (master process outage) by simultaneously disconnecting many (1) IMAP or (2) POP3 sessions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | 1.2.0 | |
| dovecot | dovecot | 1.2.1 | |
| dovecot | dovecot | 1.2.2 | |
| dovecot | dovecot | 1.2.3 | |
| dovecot | dovecot | 1.2.4 | |
| dovecot | dovecot | 1.2.5 | |
| dovecot | dovecot | 1.2.6 | |
| dovecot | dovecot | 1.2.7 | |
| dovecot | dovecot | 1.2.8 | |
| dovecot | dovecot | 1.2.9 | |
| dovecot | dovecot | 1.2.10 | |
| dovecot | dovecot | 1.2.11 | |
| dovecot | dovecot | 1.2.12 | |
| dovecot | dovecot | 1.2.13 | |
| dovecot | dovecot | 1.2.14 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD2D1C99-0594-4378-AA6C-EC2E890E41FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "96F35305-79B4-49CD-A89F-A559CA9EEB33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EDC7E277-A5AE-4025-8412-E715D1C8C0F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0DBE1D51-B9D5-4E59-81F6-C6937DA78637",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "30B37ACE-64EA-49E7-B836-C3F05CAE0392",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1204F5C2-916D-4C27-A5C4-5B5E0AAA7322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A0C46C8A-EA49-4356-BA6B-8EC0F2E70B3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "96F54038-B17B-40C0-9C2E-20AF55E7602B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "BBB0B72A-1C7D-4F89-BE89-CD82F667CB76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "FEF89EB6-CBF5-48DF-8FDD-2C0AE0266B3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "41B2B3D8-EB69-4BD8-ACD5-CB6BFDE6B2FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E1A909DC-0D77-4690-87D2-51A7564B63B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2F767F-5D7F-40AC-BA57-4E819F486301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "68296C7C-B72C-46E7-A280-5E86E1470FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "72E1AF54-0446-49FB-A6B8-AF14833A3D0C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Dovecot 1.2.x before 1.2.15 allows remote authenticated users to cause a denial of service (master process outage) by simultaneously disconnecting many (1) IMAP or (2) POP3 sessions."
},
{
"lang": "es",
"value": "Dovecot v1.2.x anterior a v1.2.15 permite a usuarios autenticados remotamente provocar una denegaci\u00f3n de servicio (interrupci\u00f3n del proceso maestro) mediante la desconexi\u00f3n simultanea de varias sesiones (1) IMAP o (2) POP3"
}
],
"id": "CVE-2010-3780",
"lastModified": "2024-11-21T01:19:35.830",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-10-06T21:00:01.227",
"references": [
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/43220"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"source": "cve@mitre.org",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0600.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2010/2840"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2011/0301"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/43220"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0600.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2010/2840"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2011/0301"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-12 17:15
Modified
2024-11-21 05:36
Severity ?
Summary
lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| fedoraproject | fedora | 30 | |
| fedoraproject | fedora | 31 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0CB6EFB-63A3-4B07-8B44-3EB087307500",
"versionEndExcluding": "2.3.9.3",
"versionStartIncluding": "2.3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop."
},
{
"lang": "es",
"value": "lib-smtp en submit-login y lmtp en Dovecot versiones 2.3.9 anteriores a 2.3.9.3, maneja inapropiadamente los datos UTF-8 truncados en los par\u00e1metros de comando, como es demostrado por la activaci\u00f3n no autenticada de un bucle infinito de login-login."
}
],
"id": "CVE-2020-7046",
"lastModified": "2024-11-21T05:36:33.290",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-12T17:15:12.437",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2020/02/12/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2020/02/12/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-835"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-08-08 02:17
Modified
2024-11-21 00:35
Severity ?
Summary
The ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COPY or (2) APPEND command.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A66F20A6-0784-43FA-848E-3A0E9643FFF1",
"versionEndIncluding": "1.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COPY or (2) APPEND command."
},
{
"lang": "es",
"value": "La extensi\u00f3n ACL del Dovecot anterior a la 1.0.3 permite a usuarios remotos autenticados, con derechos de inserci\u00f3n, guardar ciertos indicadores a trav\u00e9s de los comandos (1) COPY o (2) APPEND."
}
],
"id": "CVE-2007-4211",
"lastModified": "2024-11-21T00:35:03.243",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-08-08T02:17:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26320"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/26475"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/30342"
},
{
"source": "cve@mitre.org",
"url": "http://www.dovecot.org/list/dovecot-news/2007-August/000048.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/25182"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35767"
},
{
"source": "cve@mitre.org",
"url": "https://issues.rpath.com/browse/RPL-1621"
},
{
"source": "cve@mitre.org",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11558"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/26320"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/26475"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30342"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.dovecot.org/list/dovecot-news/2007-August/000048.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/25182"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35767"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://issues.rpath.com/browse/RPL-1621"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11558"
}
],
"sourceIdentifier": "cve@mitre.org",
"vendorComments": [
{
"comment": "These issues did not affect the dovecot versions as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. An update to Red Hat Enterprise Linux 5 was released to correct this issue:\nhttps://rhn.redhat.com/errata/RHSA-2008-0297.html\n",
"lastModified": "2008-05-21T00:00:00",
"organization": "Red Hat"
}
],
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-10-15 20:08
Modified
2024-11-21 00:52
Severity ?
Summary
The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| fedoraproject | fedora | 8 | |
| fedoraproject | fedora | 9 | |
| opensuse | opensuse | 10.3-11.1 | |
| canonical | ubuntu_linux | 8.04 | |
| canonical | ubuntu_linux | 8.10 | |
| canonical | ubuntu_linux | 9.04 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B084417D-FA5E-45DE-AA03-3932D9292B30",
"versionEndExcluding": "1.1.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*",
"matchCriteriaId": "72E4DB7F-07C3-46BB-AAA2-05CD0312C57F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*",
"matchCriteriaId": "743CBBB1-C140-4FEF-B40E-FAE4511B1140",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:10.3-11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F7018930-D354-4B31-870E-D0E3CE19C8B5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*",
"matchCriteriaId": "7EBFE35C-E243-43D1-883D-4398D71763CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*",
"matchCriteriaId": "4747CC68-FAF4-482F-929A-9DA6C24CB663",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*",
"matchCriteriaId": "A5D026D0-EF78-438D-BEDD-FC8571F3ACEB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions."
},
{
"lang": "es",
"value": "El plugin ACL en Dovecot anterior a 1.1.4 amenaza los derechos del acceso negativo como si fueran derechos de acceso positivos, lo que permite a atacantes evitar las restricciones de acceso previstas."
}
],
"id": "CVE-2008-4577",
"lastModified": "2024-11-21T00:52:00.953",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2008-10-15T20:08:02.670",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=240409"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32164"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/32471"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/33149"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/33624"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/36904"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Release Notes"
],
"url": "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/31587"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.ubuntu.com/usn/USN-838-1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Permissions Required"
],
"url": "http://www.vupen.com/english/advisories/2008/2745"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "http://bugs.gentoo.org/show_bug.cgi?id=240409"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32164"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/32471"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/33149"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/33624"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://secunia.com/advisories/36904"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Release Notes"
],
"url": "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/31587"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.ubuntu.com/usn/USN-838-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "http://www.vupen.com/english/advisories/2008/2745"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-09-19 15:29
Modified
2024-11-21 02:29
Severity ?
Summary
The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service (login process crash) via vectors related to handshake failures.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| fedoraproject | fedora | 20 | |
| fedoraproject | fedora | 21 | |
| fedoraproject | fedora | 22 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D23E9845-0791-4C61-A7D9-D2F4010939F2",
"versionEndIncluding": "2.2.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*",
"matchCriteriaId": "FF47C9F0-D8DA-4B55-89EB-9B2C9383ADB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
"matchCriteriaId": "56BDB5A0-0839-4A20-A003-B8CD56F48171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
"matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service (login process crash) via vectors related to handshake failures."
},
{
"lang": "es",
"value": "La funci\u00f3n ssl-proxy-openssl.c en Dovecot en versiones anteriores a la 2.2.17, cuando SSLv3 est\u00e1 deshabilitado, permite que atacantes remotos provoquen una denegaci\u00f3n de servicio (cierre inesperado del proceso de inicio de sesi\u00f3n) mediante vectores relacionados con errores de negociaci\u00f3n de protocolos."
}
],
"id": "CVE-2015-3420",
"lastModified": "2024-11-21T02:29:23.740",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-19T15:29:00.740",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157030.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158236.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158261.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/04/27/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/04/28/4"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/74335"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1216057"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2015-May/000292.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/pipermail/dovecot/2015-April/100618.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157030.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158236.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158261.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/04/27/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/04/28/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/74335"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1216057"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2015-May/000292.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/pipermail/dovecot/2015-April/100618.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-12-01 17:30
Modified
2024-11-21 00:53
Severity ?
Summary
Directory traversal vulnerability in the ManageSieve implementation in Dovecot 1.0.15, 1.1, and 1.2 allows remote attackers to read and modify arbitrary .sieve files via a ".." (dot dot) in a script name.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | 0.99.13 | |
| dovecot | dovecot | 0.99.14 | |
| dovecot | dovecot | 1.0 | |
| dovecot | dovecot | 1.0.2 | |
| dovecot | dovecot | 1.0.3 | |
| dovecot | dovecot | 1.0.4 | |
| dovecot | dovecot | 1.0.5 | |
| dovecot | dovecot | 1.0.6 | |
| dovecot | dovecot | 1.0.7 | |
| dovecot | dovecot | 1.0.8 | |
| dovecot | dovecot | 1.0.9 | |
| dovecot | dovecot | 1.0.10 | |
| dovecot | dovecot | 1.0.12 | |
| dovecot | dovecot | 1.1 | |
| dovecot | dovecot | 1.1 | |
| dovecot | dovecot | 1.1.0 | |
| dovecot | dovecot | 1.1.1 | |
| dovecot | dovecot | 1.1.2 | |
| dovecot | dovecot | 1.1.3 | |
| dovecot | dovecot | 1.1.4 | |
| dovecot | dovecot | 1.1.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:0.99.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D0616CCF-D278-4B6D-A58B-393BCA128CF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:0.99.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D3C7BE64-7C1E-4043-A1C5-D0A7377C01A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4240BD98-3C31-42CE-AF8F-045DD4BFC084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1C05ACA0-ED87-4DDF-94B6-8D25BE1790F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8A8C0C4A-F9DB-4BB7-BFC5-BEC22C3FE40B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B7E00B56-A1E5-4261-8349-37654AA9FB64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E66427AA-A9D4-413F-8354-EA61407307C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D74BE6C7-114D-4885-8472-FFE71C817B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4A349510-4D00-4978-93D9-3F9F5E0CD8DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B65B9EFD-1531-463C-992E-F0F16AABF9C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "34BA7146-5793-44F4-9569-9D868FE6E325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "B5078363-6B42-491B-A219-F8D8A86132BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "B1DDF093-B5C7-4AE5-B3D6-466C543AB2BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F8BE860F-A3C2-43E0-BC75-503C437DAADD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "9E6F249C-2793-46B5-A9E2-5EB3A62FF8E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E4E57B06-8650-4374-B643-6FCBE3ABDAF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B0384E42-1506-4C08-AA5A-18B2A711C7F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F5DC1CE5-50B9-426E-B98A-224DC499AB15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "350A26D6-A8BA-4125-A640-264E08D28CB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "71057F4B-3040-4771-B989-9F3453934AAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1730EBB1-4071-4A23-B770-D564AF422273",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the ManageSieve implementation in Dovecot 1.0.15, 1.1, and 1.2 allows remote attackers to read and modify arbitrary .sieve files via a \"..\" (dot dot) in a script name."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en la implementaci\u00f3n de ManageSieve en Dovecot 1.0.15, 1.1, y 1.2 permite a atacantes remotos leer y modificar arbitrariamente ficheros .sieve a trav\u00e9s de un \"..\" (punto punto) en el nombre de un script."
}
],
"id": "CVE-2008-5301",
"lastModified": "2024-11-21T00:53:46.457",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-12-01T17:30:01.437",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32768"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/36904"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.dovecot.org/list/dovecot/2008-November/035259.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/32582"
},
{
"source": "cve@mitre.org",
"url": "http://www.ubuntu.com/usn/USN-838-1"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/3190"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46672"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/32768"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/36904"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.dovecot.org/list/dovecot/2008-November/035259.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/32582"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-838-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/3190"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46672"
}
],
"sourceIdentifier": "cve@mitre.org",
"vendorComments": [
{
"comment": "Not vulnerable. This issue did not affect the versions of dovecot as shipped with Red Hat Enterprise Linux 4, or 5. Those packages do not include ManageSieve server.",
"lastModified": "2008-12-02T00:00:00",
"organization": "Red Hat"
}
],
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-28 13:15
Modified
2024-11-21 06:08
Severity ?
Summary
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| fedoraproject | fedora | 33 | |
| fedoraproject | fedora | 34 | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3B8465A8-D59A-40D7-9422-DF558C428871",
"versionEndExcluding": "2.3.14.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address."
},
{
"lang": "es",
"value": "El servicio de env\u00edo en Dovecot versiones anteriores a 2.3.15, permite la inyecci\u00f3n de comandos STARTTLS en lib-smtp. La informaci\u00f3n confidencial puede ser redirigida a una direcci\u00f3n controlada por el atacante"
}
],
"id": "CVE-2021-33515",
"lastModified": "2024-11-21T06:08:59.917",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-28T13:15:20.960",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202107-41"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2021/06/28/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202107-41"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2021/06/28/2"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-03-02 15:29
Modified
2024-11-21 03:12
Severity ?
5.9 (Medium) - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H
7.1 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
7.1 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Summary
A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.33.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DDA6B30F-59C7-4B98-AEDF-9341F3886A6C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ubuntu:ubuntu:14.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "80D933F0-A437-4AAA-88C2-9AF7153F9046",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ubuntu:ubuntu:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "DEC57FA0-E21B-4F6B-B7DC-90BA281826BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ubuntu:ubuntu:17.10:*:*:*:*:*:*:*",
"matchCriteriaId": "4AC71056-D783-44B4-AAF1-CA176B4C25BC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server."
},
{
"lang": "es",
"value": "Un email especialmente manipulado enviado mediante SMTP y pasado a Dovecot, de MTA, puede desencadenar una lectura fuera de l\u00edmites que resulta en la posible revelaci\u00f3n de informaci\u00f3n sensible y una denegaci\u00f3n de servicio (DoS). Para desencadenar esta vulnerabilidad, un atacantes necesita enviar un mensaje de email especialmente manipulado al servidor."
}
],
"id": "CVE-2017-14461",
"lastModified": "2024-11-21T03:12:50.433",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 4.2,
"source": "talos-cna@cisco.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-02T15:29:00.210",
"references": [
{
"source": "talos-cna@cisco.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103201"
},
{
"source": "talos-cna@cisco.com",
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"source": "talos-cna@cisco.com",
"tags": [
"Third Party Advisory"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2017-0510"
},
{
"source": "talos-cna@cisco.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3587-1/"
},
{
"source": "talos-cna@cisco.com",
"url": "https://usn.ubuntu.com/3587-2/"
},
{
"source": "talos-cna@cisco.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"source": "talos-cna@cisco.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/103201"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2017-0510"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3587-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://usn.ubuntu.com/3587-2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html"
}
],
"sourceIdentifier": "talos-cna@cisco.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-125"
}
],
"source": "talos-cna@cisco.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-125"
},
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-12 17:15
Modified
2024-11-21 05:38
Severity ?
Summary
The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a denial of service in which the recipient cannot read all of their messages.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| fedoraproject | fedora | 30 | |
| fedoraproject | fedora | 31 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0CB6EFB-63A3-4B07-8B44-3EB087307500",
"versionEndExcluding": "2.3.9.3",
"versionStartIncluding": "2.3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing \u003e character exists. This causes a denial of service in which the recipient cannot read all of their messages."
},
{
"lang": "es",
"value": "Los plugins IMAP y LMTP en Dovecot versiones 2.3.9 anteriores a 2.3.9.3, manejan inapropiadamente la generaci\u00f3n de fragmentos cuando se deben leer muchos caracteres para calcular el fragmento y existe un car\u00e1cter ) al final. Esto provoca una denegaci\u00f3n de servicio en la que el destinatario no puede leer todos sus mensajes."
}
],
"id": "CVE-2020-7957",
"lastModified": "2024-11-21T05:38:05.377",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-12T17:15:12.563",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2020/02/12/2"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Vendor Advisory"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2020/02/12/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Vendor Advisory"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-01-25 20:29
Modified
2024-11-21 03:14
Severity ?
Summary
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| dovecot | dovecot | 2.3.0 | |
| debian | debian_linux | 7.0 | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| canonical | ubuntu_linux | 12.04 | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 17.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F64EF3A1-D4E6-4B36-A8ED-1F5D6A7E179A",
"versionEndIncluding": "2.2.33",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "891476A9-DA14-4647-A40F-19093E099954",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "8D305F7A-D159-4716-AB26-5E38BB5CD991",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*",
"matchCriteriaId": "9070C9D8-A14A-467F-8253-33B966C16886",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot\u0027s auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion."
},
{
"lang": "es",
"value": "Se ha detectado un fallo en dovecot desde la versi\u00f3n 2.0 hasta la 2.2.33 y 2.3.0. El aborto de una autenticaci\u00f3n SASL resulta en una fuga de memoria en el cliente de autenticaci\u00f3n de dovecot utilizado por los procesos de inicio de sesi\u00f3n. La fuga provoca un impacto en la configuraci\u00f3n de alto rendimiento en donde los mismos procesos de inicio de sesi\u00f3n se reutilizan y pueden provocar que el proceso se cierre de manera inesperada al agotarse la memoria."
}
],
"id": "CVE-2017-15132",
"lastModified": "2024-11-21T03:14:08.107",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-25T20:29:00.213",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1532768"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3556-1/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3556-2/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1532768"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3556-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3556-2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-772"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-10-06 21:00
Modified
2024-11-21 01:19
Severity ?
Summary
Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin permission to the owner of each mailbox in a non-public namespace, which might allow remote authenticated users to bypass intended access restrictions by changing the ACL of a mailbox, as demonstrated by a symlinked shared mailbox.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | 1.2.0 | |
| dovecot | dovecot | 1.2.1 | |
| dovecot | dovecot | 1.2.2 | |
| dovecot | dovecot | 1.2.3 | |
| dovecot | dovecot | 1.2.4 | |
| dovecot | dovecot | 1.2.5 | |
| dovecot | dovecot | 1.2.6 | |
| dovecot | dovecot | 1.2.7 | |
| dovecot | dovecot | 1.2.8 | |
| dovecot | dovecot | 1.2.9 | |
| dovecot | dovecot | 1.2.10 | |
| dovecot | dovecot | 1.2.11 | |
| dovecot | dovecot | 1.2.12 | |
| dovecot | dovecot | 1.2.13 | |
| dovecot | dovecot | 1.2.14 | |
| dovecot | dovecot | 2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD2D1C99-0594-4378-AA6C-EC2E890E41FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "96F35305-79B4-49CD-A89F-A559CA9EEB33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EDC7E277-A5AE-4025-8412-E715D1C8C0F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0DBE1D51-B9D5-4E59-81F6-C6937DA78637",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "30B37ACE-64EA-49E7-B836-C3F05CAE0392",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "1204F5C2-916D-4C27-A5C4-5B5E0AAA7322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "A0C46C8A-EA49-4356-BA6B-8EC0F2E70B3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "96F54038-B17B-40C0-9C2E-20AF55E7602B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "BBB0B72A-1C7D-4F89-BE89-CD82F667CB76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "FEF89EB6-CBF5-48DF-8FDD-2C0AE0266B3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "41B2B3D8-EB69-4BD8-ACD5-CB6BFDE6B2FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E1A909DC-0D77-4690-87D2-51A7564B63B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2F767F-5D7F-40AC-BA57-4E819F486301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "68296C7C-B72C-46E7-A280-5E86E1470FDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "72E1AF54-0446-49FB-A6B8-AF14833A3D0C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "3DDF90CB-3787-4872-B292-CE12FB6D62EF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin permission to the owner of each mailbox in a non-public namespace, which might allow remote authenticated users to bypass intended access restrictions by changing the ACL of a mailbox, as demonstrated by a symlinked shared mailbox."
},
{
"lang": "es",
"value": "Dovecot v1.2.x anterior a v1.2.15 y v2.0.x anterior a v2.0.beta2 proporciona permisos de administrador al propietario del cada buz\u00f3n de correo en un espacio de nombres no p\u00fablico (non-public namespace), lo que podr\u00eda permitir a usuarios autenticados remotamente evitar resctricciones de acceso intencionadas cambiando el ACL de un buz\u00f3n de correo, tal y como se demostr\u00f3 con un buz\u00f3n \"symlinked shared\""
}
],
"id": "CVE-2010-3779",
"lastModified": "2024-11-21T01:19:35.693",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-10-06T21:00:01.180",
"references": [
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/43220"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.dovecot.org/list/dovecot/2010-October/053452.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"source": "cve@mitre.org",
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2010/2840"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2011/0301"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/43220"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.dovecot.org/list/dovecot/2010-October/053452.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-1059-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2010/2840"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2011/0301"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-04 17:15
Modified
2024-11-21 05:17
Severity ?
Summary
Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| debian | debian_linux | 10.0 | |
| fedoraproject | fedora | 32 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BE38F95F-06DD-4637-90B3-44ED99AE668D",
"versionEndExcluding": "2.3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts."
},
{
"lang": "es",
"value": "Dovecot versiones anteriores a 2.3.13, presenta una Comprobaci\u00f3n de Entrada Inapropiada en lda, lmtp e imap, conllevando a un bloqueo de la aplicaci\u00f3n por medio de un mensaje de correo electr\u00f3nico dise\u00f1ado con determinadas opciones para diez mil partes MIME."
}
],
"id": "CVE-2020-25275",
"lastModified": "2024-11-21T05:17:50.103",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-04T17:15:13.930",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/160841/Dovecot-2.3.11.3-Denial-Of-Service.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Jan/18"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/3"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202101-01"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4825"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/160841/Dovecot-2.3.11.3-Denial-Of-Service.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2021/Jan/18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202101-01"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4825"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-05-24 23:55
Modified
2024-11-21 01:27
Severity ?
Summary
script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | 2.0.0 | |
| dovecot | dovecot | 2.0.1 | |
| dovecot | dovecot | 2.0.2 | |
| dovecot | dovecot | 2.0.3 | |
| dovecot | dovecot | 2.0.4 | |
| dovecot | dovecot | 2.0.5 | |
| dovecot | dovecot | 2.0.6 | |
| dovecot | dovecot | 2.0.7 | |
| dovecot | dovecot | 2.0.8 | |
| dovecot | dovecot | 2.0.9 | |
| dovecot | dovecot | 2.0.10 | |
| dovecot | dovecot | 2.0.11 | |
| dovecot | dovecot | 2.0.12 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AEE31582-7AE3-4131-BDE9-5654DE58FAF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "65102391-C9AF-4CA3-AC43-0C52A7A37363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "593DF083-5960-4BD5-AFC4-668B30E32E59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4DCC5E56-D31E-45F0-B18B-D98C219DEBAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D969ED92-F429-4F67-8366-31A73CEE6A47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "8D4074C5-98E7-4A65-9413-17081FE12F0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "810788F1-D928-4190-94F9-944AF677C9BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "CD6739FA-5AFE-46E9-AFB6-147736A81A86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "4D486B62-AEB1-448E-88B9-267A1E1405A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "062E0A90-0C22-4E5F-8D12-B3A17EE87789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "C9DCBDC9-B290-4495-8D15-C0E9AD595291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E7574EAB-5E97-4906-9D7E-33654BFAEC6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "F575E273-7FF6-44A0-A217-7A7544ED8061",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script."
},
{
"lang": "es",
"value": "Las secuencias de comandos de inicio de sesi\u00f3n en Dovecot v2.0.x antes de v2.0.13 no sigue las opciones de configuraci\u00f3n de chroot, lo que podr\u00eda permitir a usuarios remotos autenticados realizar ataques de directorio transversal mediante el aprovechamiento de una secuencia de comandos."
}
],
"id": "CVE-2011-2167",
"lastModified": "2024-11-21T01:27:44.190",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-05-24T23:55:04.480",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://dovecot.org/pipermail/dovecot/2011-May/059085.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2011/05/18/4"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0520.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/52311"
},
{
"source": "cve@mitre.org",
"url": "http://www.dovecot.org/doc/NEWS-2.0"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/48003"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67674"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://dovecot.org/pipermail/dovecot/2011-May/059085.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2011/05/18/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0520.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/52311"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.dovecot.org/doc/NEWS-2.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/48003"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67674"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-28 12:15
Modified
2024-11-21 06:00
Severity ?
7.5 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| fedoraproject | fedora | 33 | |
| fedoraproject | fedora | 34 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8FF0234A-F902-4B8D-8453-C3D3B24F9C5B",
"versionEndExcluding": "2.3.14.1",
"versionStartIncluding": "2.3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver."
},
{
"lang": "es",
"value": "Dovecot versiones anteriores a 2.3.15, permite un Salto de Ruta ../. Un atacante con acceso al sistema de archivos local puede enga\u00f1ar a la autenticaci\u00f3n OAuth2 en usar una clave de comprobaci\u00f3n HS256 desde una ubicaci\u00f3n controlada por el atacante. Esto ocurre durante el uso de la comprobaci\u00f3n JWT local con el controlador posix fs"
}
],
"id": "CVE-2021-29157",
"lastModified": "2024-11-21T06:00:48.187",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.1,
"impactScore": 5.8,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-28T12:15:08.647",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202107-41"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2021/06/28/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202107-41"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2021/06/28/1"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-05-27 14:55
Modified
2024-11-21 01:51
Severity ?
Summary
The IMAP functionality in Dovecot before 2.2.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via invalid APPEND parameters.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0DB6684C-0046-4823-84F7-E366629538D2",
"versionEndIncluding": "2.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B11EF361-E553-402A-83EE-71D887FC9F69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "7E47CA62-99F7-4906-B6F6-245A4B22AC99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc3:*:*:*:*:*:*",
"matchCriteriaId": "52F33ED8-9902-41B8-9189-462620FD62C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc4:*:*:*:*:*:*",
"matchCriteriaId": "6741622C-7CCB-4FB7-AF17-EE95C3311D78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc5:*:*:*:*:*:*",
"matchCriteriaId": "856E97CA-689D-409C-B8DF-AD95AA3CD7ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc6:*:*:*:*:*:*",
"matchCriteriaId": "89EF88D5-2FA2-4F97-BA26-9FD82D4CD37A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2:rc7:*:*:*:*:*:*",
"matchCriteriaId": "AF73C3A2-C646-4D46-9975-B6FEDD262542",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9260A530-7A6D-4223-94B6-D3DCDF7FF331",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The IMAP functionality in Dovecot before 2.2.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via invalid APPEND parameters."
},
{
"lang": "es",
"value": "La funcionalidad IMAP en Dovecot anterior a 2.2.2 permite a atacantes remotos causar una denegaci\u00f3n de servicio (bucle infinito y consumo de CPU) a trav\u00e9s de par\u00e1metros APPEND inv\u00e1lidos."
}
],
"id": "CVE-2013-2111",
"lastModified": "2024-11-21T01:51:03.390",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-05-27T14:55:06.400",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/53492"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot-news/2013-May/000255.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2013/05/24/1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1028585"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/53492"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.dovecot.org/list/dovecot-news/2013-May/000255.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2013/05/24/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1028585"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-03-02 15:29
Modified
2024-11-21 03:14
Severity ?
Summary
A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | * | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 17.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C372D0FA-228E-4F34-BC6F-EA6F038E392E",
"versionEndExcluding": "2.2.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*",
"matchCriteriaId": "9070C9D8-A14A-467F-8253-33B966C16886",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart."
},
{
"lang": "es",
"value": "Se ha descubierto un error de denegaci\u00f3n de servicio (DoS) en dovecot en versiones anteriores a la 2.2.34. Un atacante que pueda generar nombres aleatorios del servidor SNI podr\u00eda explotar las b\u00fasquedas de configuraci\u00f3n TLS SNI, lo que conduce a un uso excesivo de memoria y al reinicio del proceso."
}
],
"id": "CVE-2017-15130",
"lastModified": "2024-11-21T03:14:07.867",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-02T15:29:00.273",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2018/q1/205"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1532356"
},
{
"source": "secalert@redhat.com",
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3587-1/"
},
{
"source": "secalert@redhat.com",
"url": "https://usn.ubuntu.com/3587-2/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2018/q1/205"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1532356"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3587-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://usn.ubuntu.com/3587-2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-05-18 14:15
Modified
2024-11-21 04:56
Severity ?
Summary
In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8B753CF9-8EB3-4925-9772-F6044915C907",
"versionEndExcluding": "2.3.10.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command."
},
{
"lang": "es",
"value": "En Dovecot versiones anteriores a 2.3.10.1, un mensaje SMTP/LMTP dise\u00f1ado desencadena un bug no autenticado de uso de la memoria previamente liberada en submission-login, submission, o lmtp, y puede conllevar a un bloqueo bajo circunstancias que impliquen muchas l\u00edneas nuevas despu\u00e9s de un comando."
}
],
"id": "CVE-2020-10958",
"lastModified": "2024-11-21T04:56:27.237",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-18T14:15:11.827",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html"
},
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2020/May/37"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/"
},
{
"source": "cve@mitre.org",
"url": "https://usn.ubuntu.com/4361-1/"
},
{
"source": "cve@mitre.org",
"url": "https://www.debian.org/security/2020/dsa-4690"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2020/May/37"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2020/05/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dovecot.org/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://usn.ubuntu.com/4361-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2020/dsa-4690"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2020/05/18/1"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-416"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-03-06 21:44
Modified
2024-11-21 00:43
Severity ?
Summary
Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dovecot | dovecot | 0.99.13 | |
| dovecot | dovecot | 0.99.14 | |
| dovecot | dovecot | 1.0 | |
| dovecot | dovecot | 1.0.2 | |
| dovecot | dovecot | 1.0.3 | |
| dovecot | dovecot | 1.0.4 | |
| dovecot | dovecot | 1.0.5 | |
| dovecot | dovecot | 1.0.6 | |
| dovecot | dovecot | 1.0.7 | |
| dovecot | dovecot | 1.0.8 | |
| dovecot | dovecot | 1.0.9 | |
| dovecot | dovecot | 1.0.10 | |
| dovecot | dovecot | 1.0.beta2 | |
| dovecot | dovecot | 1.0.beta3 | |
| dovecot | dovecot | 1.0.beta7 | |
| dovecot | dovecot | 1.0.beta8 | |
| dovecot | dovecot | 1.0.rc1 | |
| dovecot | dovecot | 1.0.rc2 | |
| dovecot | dovecot | 1.0.rc3 | |
| dovecot | dovecot | 1.0.rc4 | |
| dovecot | dovecot | 1.0.rc5 | |
| dovecot | dovecot | 1.0.rc6 | |
| dovecot | dovecot | 1.0.rc7 | |
| dovecot | dovecot | 1.0.rc8 | |
| dovecot | dovecot | 1.0.rc9 | |
| dovecot | dovecot | 1.0.rc10 | |
| dovecot | dovecot | 1.0.rc11 | |
| dovecot | dovecot | 1.0.rc12 | |
| dovecot | dovecot | 1.0.rc13 | |
| dovecot | dovecot | 1.0.rc14 | |
| dovecot | dovecot | 1.0.rc15 | |
| dovecot | dovecot | 1.0_rc29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dovecot:dovecot:0.99.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D0616CCF-D278-4B6D-A58B-393BCA128CF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:0.99.14:*:*:*:*:*:*:*",
"matchCriteriaId": "D3C7BE64-7C1E-4043-A1C5-D0A7377C01A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4240BD98-3C31-42CE-AF8F-045DD4BFC084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1C05ACA0-ED87-4DDF-94B6-8D25BE1790F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8A8C0C4A-F9DB-4BB7-BFC5-BEC22C3FE40B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B7E00B56-A1E5-4261-8349-37654AA9FB64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E66427AA-A9D4-413F-8354-EA61407307C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D74BE6C7-114D-4885-8472-FFE71C817B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4A349510-4D00-4978-93D9-3F9F5E0CD8DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B65B9EFD-1531-463C-992E-F0F16AABF9C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "34BA7146-5793-44F4-9569-9D868FE6E325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "B5078363-6B42-491B-A219-F8D8A86132BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta2:*:*:*:*:*:*:*",
"matchCriteriaId": "9D680474-C329-4DD0-B4EA-2406E27EC474",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta3:*:*:*:*:*:*:*",
"matchCriteriaId": "165A0D0B-C6B0-431F-BF36-223A27CD6A42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta7:*:*:*:*:*:*:*",
"matchCriteriaId": "99268D48-CF82-450B-A033-D87AF4109531",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta8:*:*:*:*:*:*:*",
"matchCriteriaId": "B2E09737-8107-45C0-BFF1-FB4CF81564CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc1:*:*:*:*:*:*:*",
"matchCriteriaId": "91E74D81-DF10-423A-8549-3BB5ED02B5A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc2:*:*:*:*:*:*:*",
"matchCriteriaId": "07D6853E-7E81-443D-8806-C8469217F55C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc3:*:*:*:*:*:*:*",
"matchCriteriaId": "D1BE4B6A-47A2-457B-B6B8-8FE5C2026A11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc4:*:*:*:*:*:*:*",
"matchCriteriaId": "7382F655-9B27-443D-9397-346FBEADEFDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc5:*:*:*:*:*:*:*",
"matchCriteriaId": "6F180045-A0DA-40A3-AD3E-F3402FB6456A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc6:*:*:*:*:*:*:*",
"matchCriteriaId": "C1A2FFE7-D008-47B4-80E7-AEC176918E06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc7:*:*:*:*:*:*:*",
"matchCriteriaId": "8C840337-7B31-476B-BBCD-65F4899925E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc8:*:*:*:*:*:*:*",
"matchCriteriaId": "545EF2F5-9BAE-4612-9958-70A5413818A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc9:*:*:*:*:*:*:*",
"matchCriteriaId": "E80096F8-46D9-42E3-8CDB-99ADA2CBD970",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc10:*:*:*:*:*:*:*",
"matchCriteriaId": "9E504866-3429-4A4C-8278-5C2753D356C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc11:*:*:*:*:*:*:*",
"matchCriteriaId": "30857130-636F-4719-9F1E-8F6369F40DAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc12:*:*:*:*:*:*:*",
"matchCriteriaId": "9843D7CE-4723-4200-AFD4-5B31545A287E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc13:*:*:*:*:*:*:*",
"matchCriteriaId": "54AF1D92-D89B-4DE4-9D47-72466873A4C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc14:*:*:*:*:*:*:*",
"matchCriteriaId": "64A8FCA5-1666-48F7-9689-37D9315813F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc15:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D517F3-F0A8-4362-89B9-0ED63515283F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dovecot:dovecot:1.0_rc29:*:*:*:*:*:*:*",
"matchCriteriaId": "3AAE9E7C-49CC-48C3-B47C-CDC5802356A7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack."
},
{
"lang": "es",
"value": "Dovecot antes de 1.0.11, cuando se configura para utilizar mail_extra_groups para permitir a Dovecot crear dotlocks en /var/mail, podr\u00eda permitir a usuarios locales leer archivos de mail sensibles para otros usuarios, o modificar archivos o directorios que sean escribibles por el grupo, a trav\u00e9s de un ataque de enlaces simb\u00f3licos."
}
],
"id": "CVE-2008-1199",
"lastModified": "2024-11-21T00:43:55.700",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-03-06T21:44:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29226"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29385"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29396"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29557"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/30342"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/32151"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2008/dsa-1516"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/28092"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009"
},
{
"source": "cve@mitre.org",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739"
},
{
"source": "cve@mitre.org",
"url": "https://usn.ubuntu.com/593-1/"
},
{
"source": "cve@mitre.org",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
},
{
"source": "cve@mitre.org",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29226"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29385"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29396"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29557"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30342"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/32151"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2008/dsa-1516"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/28092"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://usn.ubuntu.com/593-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vendorComments": [
{
"comment": "Red Hat is aware of this issue and is tracking it via the following bug:\nhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1199\n\nThis issue does not affect the default configuration of Dovecot as shipped in Red Hat Enterprise Linux.\n\nThe Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. \n\nAn update to Red Hat Enterprise Linux 5 was released to correct this issue:\nhttps://rhn.redhat.com/errata/RHSA-2008-0297.html\n",
"lastModified": "2008-05-21T00:00:00",
"organization": "Red Hat"
}
],
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-16"
},
{
"lang": "en",
"value": "CWE-59"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
var-201803-0134
Vulnerability from variot
A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server. Dovecot Contains an out-of-bounds vulnerability and an information disclosure vulnerability.Information is obtained and service operation is interrupted (DoS) There is a possibility of being put into a state. Dovecot is an open source IMAP and POP3 mail server based on Linux/UNIX-like systems. A cross-boundary read vulnerability exists in Dovecot version 2.2.33.2. This vulnerability can be used to cause denial of service and access to sensitive information. Dovecot is prone to an information-disclosure vulnerability. Failed exploit attempts will result in a denial-of-service condition. Dovecot 2.2.33.2 is vulnerable; other versions may also be affected. ========================================================================== Ubuntu Security Notice USN-3587-2 April 02, 2018
dovecot vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in Dovecot. This update provides the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that Dovecot incorrectly handled parsing certain email addresses. (CVE-2017-14461)
It was discovered that Dovecot incorrectly handled TLS SNI config lookups. (CVE-2017-15130)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 12.04 ESM: dovecot-core 1:2.0.19-0ubuntu2.5
In general, a standard system update will make all the necessary changes.
References: https://usn.ubuntu.com/usn/usn-3587-2 https://usn.ubuntu.com/usn/usn-3587-1 CVE-2017-14461, CVE-2017-15130 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Debian Security Advisory DSA-4130-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 02, 2018 https://www.debian.org/security/faq
Package : dovecot CVE ID : CVE-2017-14461 CVE-2017-15130 CVE-2017-15132 Debian Bug : 888432 891819 891820
Several vulnerabilities have been discovered in the Dovecot email server. The Common Vulnerabilities and Exposures project identifies the following issues:
CVE-2017-14461
Aleksandar Nikolic of Cisco Talos and 'flxflndy' discovered that
Dovecot does not properly parse invalid email addresses, which may
cause a crash or leak memory contents to an attacker.
CVE-2017-15130
It was discovered that TLS SNI config lookups may lead to excessive
memory usage, causing imap-login/pop3-login VSZ limit to be reached
and the process restarted, resulting in a denial of service. Only
Dovecot configurations containing local_name { } or local { }
configuration blocks are affected.
CVE-2017-15132
It was discovered that Dovecot contains a memory leak flaw in the
login process on aborted SASL authentication.
For the oldstable distribution (jessie), these problems have been fixed in version 1:2.2.13-12~deb8u4.
For the stable distribution (stretch), these problems have been fixed in version 1:2.2.27-3+deb9u2.
We recommend that you upgrade your dovecot packages.
For the detailed security status of dovecot please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dovecot
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqZzelfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T8fg/+KmUzgEXDQFSnWOmSt+8GXFB08C2XtXmopMuej/1tjkZZ7B04vXfkgYZ9 u7zICbM56VrTmnXOYnLuXjqLrzGO0Y9jX+Z5G4BSw0TgP+g6ME72ZvqxuE4IKQqi QlaKTX86B1AMpzvkLrhwXlArJDr7pJzOonFJds6rKtVA4OvY4/fAAWrH89BFchet VwdO5rngcd/qnAYVOZglTMfgVlzxvenx+0fbQ6JFS6T8ODOFSsnwth64u3KY8yYj 4PGTBqX4m+2S2q2qGinueBgHNUV4RK71Zw1QYDa2gMBQR3HtlMnDhmQ4uYCvKP04 Z1GJYX6dMxMSWPKC2WecrdCSV+QAdMlYypKbhqcLA4LHcdPR+v35oQT4X/SYd2WS Zf50KMYUm9Q3YiOHVDrJo+o21hX4g8hRw1wdewZz+wyQ1n1TOlVtRh4vmACKRzNx 7bUayEvVU3q3VQd+dDH2Bl+TBiO7RB5/b2pHp8vHwAlVX00jYSSnoLUKT0L4BQ54 +1DZ8j88OFKDxTgOsbk19rhfraY7iejAjHZDVnJBwC/tB9REG6DOrDIG4OJqTKw4 sP1JaHryOGXzOf/8h61rY5HAuwofGkAZN7S+Bel0+zGYJvIcSyxpBKvJB/0TDNjm E5KphLFG9RGVmdeVkQzG6tGUMnMXxFrAD5U3hlzUsNGLLA+RE78= =Yh09 -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201803-0134",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dovecot",
"scope": "eq",
"trust": 1.9,
"vendor": "dovecot",
"version": "2.2.33.2"
},
{
"model": "ubuntu",
"scope": "eq",
"trust": 1.6,
"vendor": "ubuntu",
"version": "16.04"
},
{
"model": "ubuntu",
"scope": "eq",
"trust": 1.6,
"vendor": "ubuntu",
"version": "17.10"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "8.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "ubuntu",
"scope": "eq",
"trust": 1.0,
"vendor": "ubuntu",
"version": "14.04"
},
{
"model": "ubuntu",
"scope": null,
"trust": 0.8,
"vendor": "canonical",
"version": null
},
{
"model": "gnu/linux",
"scope": null,
"trust": 0.8,
"vendor": "debian",
"version": null
},
{
"model": "dovecot",
"scope": null,
"trust": 0.8,
"vendor": "timo sirainen",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-06399"
},
{
"db": "BID",
"id": "103201"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012764"
},
{
"db": "NVD",
"id": "CVE-2017-14461"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-607"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.2.33.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:ubuntu:ubuntu:14.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:ubuntu:ubuntu:16.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:ubuntu:ubuntu:17.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2017-14461"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Aleksandar Nikolic of Cisco Talos.",
"sources": [
{
"db": "BID",
"id": "103201"
}
],
"trust": 0.3
},
"cve": "CVE-2017-14461",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 5.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2017-14461",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CNVD-2018-06399",
"impactScore": 4.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
},
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "talos-cna@cisco.com",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 1.6,
"impactScore": 4.2,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.1,
"baseSeverity": "High",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2017-14461",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2017-14461",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "talos-cna@cisco.com",
"id": "CVE-2017-14461",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2018-06399",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201709-607",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-06399"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012764"
},
{
"db": "NVD",
"id": "CVE-2017-14461"
},
{
"db": "NVD",
"id": "CVE-2017-14461"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-607"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server. Dovecot Contains an out-of-bounds vulnerability and an information disclosure vulnerability.Information is obtained and service operation is interrupted (DoS) There is a possibility of being put into a state. Dovecot is an open source IMAP and POP3 mail server based on Linux/UNIX-like systems. A cross-boundary read vulnerability exists in Dovecot version 2.2.33.2. This vulnerability can be used to cause denial of service and access to sensitive information. Dovecot is prone to an information-disclosure vulnerability. Failed exploit attempts will result in a denial-of-service condition. \nDovecot 2.2.33.2 is vulnerable; other versions may also be affected. ==========================================================================\nUbuntu Security Notice USN-3587-2\nApril 02, 2018\n\ndovecot vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 12.04 ESM\n\nSummary:\n\nSeveral security issues were fixed in Dovecot. This update provides\nthe corresponding update for Ubuntu 12.04 ESM. \n\nOriginal advisory details:\n\n It was discovered that Dovecot incorrectly handled parsing certain\n email addresses. (CVE-2017-14461)\n\n It was discovered that Dovecot incorrectly handled TLS SNI config\n lookups. (CVE-2017-15130)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 12.04 ESM:\n dovecot-core 1:2.0.19-0ubuntu2.5\n\nIn general, a standard system update will make all the necessary\nchanges. \n\nReferences:\n https://usn.ubuntu.com/usn/usn-3587-2\n https://usn.ubuntu.com/usn/usn-3587-1\n CVE-2017-14461, CVE-2017-15130\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4130-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMarch 02, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : dovecot\nCVE ID : CVE-2017-14461 CVE-2017-15130 CVE-2017-15132\nDebian Bug : 888432 891819 891820\n\nSeveral vulnerabilities have been discovered in the Dovecot email\nserver. The Common Vulnerabilities and Exposures project identifies the\nfollowing issues:\n\nCVE-2017-14461\n\n Aleksandar Nikolic of Cisco Talos and \u0027flxflndy\u0027 discovered that\n Dovecot does not properly parse invalid email addresses, which may\n cause a crash or leak memory contents to an attacker. \n\nCVE-2017-15130\n\n It was discovered that TLS SNI config lookups may lead to excessive\n memory usage, causing imap-login/pop3-login VSZ limit to be reached\n and the process restarted, resulting in a denial of service. Only\n Dovecot configurations containing local_name { } or local { }\n configuration blocks are affected. \n\nCVE-2017-15132\n\n It was discovered that Dovecot contains a memory leak flaw in the\n login process on aborted SASL authentication. \n\nFor the oldstable distribution (jessie), these problems have been fixed\nin version 1:2.2.13-12~deb8u4. \n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 1:2.2.27-3+deb9u2. \n\nWe recommend that you upgrade your dovecot packages. \n\nFor the detailed security status of dovecot please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/dovecot\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqZzelfFIAAAAAALgAo\naXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2\nNDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND\nz0T8fg/+KmUzgEXDQFSnWOmSt+8GXFB08C2XtXmopMuej/1tjkZZ7B04vXfkgYZ9\nu7zICbM56VrTmnXOYnLuXjqLrzGO0Y9jX+Z5G4BSw0TgP+g6ME72ZvqxuE4IKQqi\nQlaKTX86B1AMpzvkLrhwXlArJDr7pJzOonFJds6rKtVA4OvY4/fAAWrH89BFchet\nVwdO5rngcd/qnAYVOZglTMfgVlzxvenx+0fbQ6JFS6T8ODOFSsnwth64u3KY8yYj\n4PGTBqX4m+2S2q2qGinueBgHNUV4RK71Zw1QYDa2gMBQR3HtlMnDhmQ4uYCvKP04\nZ1GJYX6dMxMSWPKC2WecrdCSV+QAdMlYypKbhqcLA4LHcdPR+v35oQT4X/SYd2WS\nZf50KMYUm9Q3YiOHVDrJo+o21hX4g8hRw1wdewZz+wyQ1n1TOlVtRh4vmACKRzNx\n7bUayEvVU3q3VQd+dDH2Bl+TBiO7RB5/b2pHp8vHwAlVX00jYSSnoLUKT0L4BQ54\n+1DZ8j88OFKDxTgOsbk19rhfraY7iejAjHZDVnJBwC/tB9REG6DOrDIG4OJqTKw4\nsP1JaHryOGXzOf/8h61rY5HAuwofGkAZN7S+Bel0+zGYJvIcSyxpBKvJB/0TDNjm\nE5KphLFG9RGVmdeVkQzG6tGUMnMXxFrAD5U3hlzUsNGLLA+RE78=\n=Yh09\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-14461"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012764"
},
{
"db": "CNVD",
"id": "CNVD-2018-06399"
},
{
"db": "BID",
"id": "103201"
},
{
"db": "PACKETSTORM",
"id": "147005"
},
{
"db": "PACKETSTORM",
"id": "146647"
},
{
"db": "PACKETSTORM",
"id": "146656"
}
],
"trust": 2.7
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-14461",
"trust": 3.6
},
{
"db": "TALOS",
"id": "TALOS-2017-0510",
"trust": 2.5
},
{
"db": "BID",
"id": "103201",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012764",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2018-06399",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201709-607",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "147005",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "146647",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "146656",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-06399"
},
{
"db": "BID",
"id": "103201"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012764"
},
{
"db": "PACKETSTORM",
"id": "147005"
},
{
"db": "PACKETSTORM",
"id": "146647"
},
{
"db": "PACKETSTORM",
"id": "146656"
},
{
"db": "NVD",
"id": "CVE-2017-14461"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-607"
}
]
},
"id": "VAR-201803-0134",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-06399"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-06399"
}
]
},
"last_update_date": "2023-12-18T12:57:05.173000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "[SECURITY] [DLA 1333-1] dovecot security update",
"trust": 0.8,
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"title": "DSA-4130",
"trust": 0.8,
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"title": "[Dovecot-news] v2.2.34 released",
"trust": 0.8,
"url": "https://www.dovecot.org/list/dovecot-news/2018-february/000370.html"
},
{
"title": "USN-3587-1",
"trust": 0.8,
"url": "https://usn.ubuntu.com/3587-1/"
},
{
"title": "USN-3587-2",
"trust": 0.8,
"url": "https://usn.ubuntu.com/3587-2/"
},
{
"title": "Dovecot Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=190036"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-012764"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-607"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-125",
"trust": 1.8
},
{
"problemtype": "CWE-200",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-012764"
},
{
"db": "NVD",
"id": "CVE-2017-14461"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.2,
"url": "https://talosintelligence.com/vulnerability_reports/talos-2017-0510"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/103201"
},
{
"trust": 1.6,
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"trust": 1.6,
"url": "https://usn.ubuntu.com/3587-1/"
},
{
"trust": 1.6,
"url": "https://usn.ubuntu.com/3587-2/"
},
{
"trust": 1.6,
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"trust": 1.6,
"url": "https://www.dovecot.org/list/dovecot-news/2018-february/000370.html"
},
{
"trust": 1.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-14461"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14461"
},
{
"trust": 0.3,
"url": "http://www.dovecot.org/"
},
{
"trust": 0.3,
"url": "https://www.talosintelligence.com/vulnerability_reports/talos-2017-0510"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-15130"
},
{
"trust": 0.2,
"url": "https://usn.ubuntu.com/usn/usn-3587-1"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/usn/usn-3587-2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/dovecot/1:2.2.9-1ubuntu2.4"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/dovecot/1:2.2.22-1ubuntu2.7"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/dovecot/1:2.2.27-3ubuntu1.3"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-15132"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/dovecot"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-06399"
},
{
"db": "BID",
"id": "103201"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012764"
},
{
"db": "PACKETSTORM",
"id": "147005"
},
{
"db": "PACKETSTORM",
"id": "146647"
},
{
"db": "PACKETSTORM",
"id": "146656"
},
{
"db": "NVD",
"id": "CVE-2017-14461"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-607"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-06399"
},
{
"db": "BID",
"id": "103201"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012764"
},
{
"db": "PACKETSTORM",
"id": "147005"
},
{
"db": "PACKETSTORM",
"id": "146647"
},
{
"db": "PACKETSTORM",
"id": "146656"
},
{
"db": "NVD",
"id": "CVE-2017-14461"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-607"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-03-27T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-06399"
},
{
"date": "2018-03-01T00:00:00",
"db": "BID",
"id": "103201"
},
{
"date": "2018-04-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-012764"
},
{
"date": "2018-04-02T16:54:55",
"db": "PACKETSTORM",
"id": "147005"
},
{
"date": "2018-03-05T22:23:00",
"db": "PACKETSTORM",
"id": "146647"
},
{
"date": "2018-03-05T23:45:22",
"db": "PACKETSTORM",
"id": "146656"
},
{
"date": "2018-03-02T15:29:00.210000",
"db": "NVD",
"id": "CVE-2017-14461"
},
{
"date": "2017-09-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201709-607"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-03-27T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-06399"
},
{
"date": "2018-03-01T00:00:00",
"db": "BID",
"id": "103201"
},
{
"date": "2018-04-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-012764"
},
{
"date": "2022-04-19T19:15:17.503000",
"db": "NVD",
"id": "CVE-2017-14461"
},
{
"date": "2022-04-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201709-607"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "147005"
},
{
"db": "PACKETSTORM",
"id": "146647"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-607"
}
],
"trust": 0.8
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Dovecot Vulnerable to out-of-bounds reading",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-012764"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201709-607"
}
],
"trust": 0.6
}
}
var-201105-0289
Vulnerability from variot
script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script. Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems. Dovecot is prone to multiple security-bypass vulnerabilities because it fails to properly implement certain configuration settings. Authenticated attackers can exploit these issues to bypass certain security restrictions and perform unauthorized actions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Low: dovecot security and bug fix update Advisory ID: RHSA-2013:0520-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0520.html Issue date: 2013-02-21 CVE Names: CVE-2011-2166 CVE-2011-2167 CVE-2011-4318 =====================================================================
- Summary:
Updated dovecot packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
- It supports mail in either of maildir or mbox formats. The SQL drivers and authentication plug-ins are provided as sub-packages.
Two flaws were found in the way some settings were enforced by the script-login functionality of Dovecot. (CVE-2011-2166, CVE-2011-2167)
A flaw was found in the way Dovecot performed remote server identity verification, when it was configured to proxy IMAP and POP3 connections to remote hosts using TLS/SSL protocols. A remote attacker could use this flaw to conduct man-in-the-middle attacks using an X.509 certificate issued by a trusted Certificate Authority (for a different name). (CVE-2011-4318)
This update also fixes the following bug:
- When a new user first accessed their IMAP inbox, Dovecot was, under some circumstances, unable to change the group ownership of the inbox directory in the user's Maildir location to match that of the user's mail spool (/var/mail/$USER). This correctly generated an "Internal error occurred" message. However, with a subsequent attempt to access the inbox, Dovecot saw that the directory already existed and proceeded with its operation, leaving the directory with incorrectly set permissions. This update corrects the underlying permissions setting error. When a new user now accesses their inbox for the first time, and it is not possible to set group ownership, Dovecot removes the created directory and generates an error message instead of keeping the directory with incorrect group ownership. (BZ#697620)
Users of dovecot are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the dovecot service will be restarted automatically.
- Solution:
Before applying this update, make sure all previously-released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258
- Package List:
Red Hat Enterprise Linux Server (v. 6):
Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm
i386: dovecot-2.0.9-5.el6.i686.rpm dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-mysql-2.0.9-5.el6.i686.rpm dovecot-pgsql-2.0.9-5.el6.i686.rpm dovecot-pigeonhole-2.0.9-5.el6.i686.rpm
ppc64: dovecot-2.0.9-5.el6.ppc.rpm dovecot-2.0.9-5.el6.ppc64.rpm dovecot-debuginfo-2.0.9-5.el6.ppc.rpm dovecot-debuginfo-2.0.9-5.el6.ppc64.rpm dovecot-mysql-2.0.9-5.el6.ppc64.rpm dovecot-pgsql-2.0.9-5.el6.ppc64.rpm dovecot-pigeonhole-2.0.9-5.el6.ppc64.rpm
s390x: dovecot-2.0.9-5.el6.s390.rpm dovecot-2.0.9-5.el6.s390x.rpm dovecot-debuginfo-2.0.9-5.el6.s390.rpm dovecot-debuginfo-2.0.9-5.el6.s390x.rpm dovecot-mysql-2.0.9-5.el6.s390x.rpm dovecot-pgsql-2.0.9-5.el6.s390x.rpm dovecot-pigeonhole-2.0.9-5.el6.s390x.rpm
x86_64: dovecot-2.0.9-5.el6.i686.rpm dovecot-2.0.9-5.el6.x86_64.rpm dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm dovecot-mysql-2.0.9-5.el6.x86_64.rpm dovecot-pgsql-2.0.9-5.el6.x86_64.rpm dovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm
i386: dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-devel-2.0.9-5.el6.i686.rpm
ppc64: dovecot-debuginfo-2.0.9-5.el6.ppc64.rpm dovecot-devel-2.0.9-5.el6.ppc64.rpm
s390x: dovecot-debuginfo-2.0.9-5.el6.s390x.rpm dovecot-devel-2.0.9-5.el6.s390x.rpm
x86_64: dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm dovecot-devel-2.0.9-5.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm
i386: dovecot-2.0.9-5.el6.i686.rpm dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-mysql-2.0.9-5.el6.i686.rpm dovecot-pgsql-2.0.9-5.el6.i686.rpm dovecot-pigeonhole-2.0.9-5.el6.i686.rpm
x86_64: dovecot-2.0.9-5.el6.i686.rpm dovecot-2.0.9-5.el6.x86_64.rpm dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm dovecot-mysql-2.0.9-5.el6.x86_64.rpm dovecot-pgsql-2.0.9-5.el6.x86_64.rpm dovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm
i386: dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-devel-2.0.9-5.el6.i686.rpm
x86_64: dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm dovecot-devel-2.0.9-5.el6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package
- References:
https://www.redhat.com/security/data/cve/CVE-2011-2166.html https://www.redhat.com/security/data/cve/CVE-2011-2167.html https://www.redhat.com/security/data/cve/CVE-2011-4318.html https://access.redhat.com/security/updates/classification/#low
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJcMBXlSAg2UNWIIRAsLkAKCVzudrg6y2jNbVu8TARQH65FPliACgpPzA 3cvEfHEUoK/fdUBZNDEuZqU= =9rAE -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-04
http://security.gentoo.org/
Severity: High Title: Dovecot: Multiple vulnerabilities Date: October 10, 2011 Bugs: #286844, #293954, #314533, #368653 ID: 201110-04
Synopsis
Multiple vulnerabilities were found in Dovecot, the worst of which allowing for remote execution of arbitrary code. Please review the CVE identifiers referenced below for details.
Impact
A remote attacker could exploit these vulnerabilities to cause the remote execution of arbitrary code, or a Denial of Service condition, to conduct directory traversal attacks, corrupt data, or disclose information.
Workaround
There is no known workaround at this time.
Resolution
All Dovecot 1 users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/dovecot-1.2.17"
All Dovecot 2 users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.0.13"
NOTE: This is a legacy GLSA. Updates for all affected architectures are available since May 28, 2011. It is likely that your system is already no longer affected by this issue.
References
[ 1 ] CVE-2009-3235 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3235 [ 2 ] CVE-2009-3897 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897 [ 3 ] CVE-2010-0745 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0745 [ 4 ] CVE-2010-3304 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3304 [ 5 ] CVE-2010-3706 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3706 [ 6 ] CVE-2010-3707 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3707 [ 7 ] CVE-2010-3779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3779 [ 8 ] CVE-2010-3780 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3780 [ 9 ] CVE-2011-1929 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1929 [ 10 ] CVE-2011-2166 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2166 [ 11 ] CVE-2011-2167 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2167
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-04.xml
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201105-0289",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dovecot",
"scope": "eq",
"trust": 1.9,
"vendor": "dovecot",
"version": "2.0.12"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.9,
"vendor": "dovecot",
"version": "2.0.3"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.9,
"vendor": "dovecot",
"version": "2.0.5"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.9,
"vendor": "dovecot",
"version": "2.0.0"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.9,
"vendor": "dovecot",
"version": "2.0.1"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.9,
"vendor": "dovecot",
"version": "2.0.2"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.9,
"vendor": "dovecot",
"version": "2.0.4"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.6,
"vendor": "dovecot",
"version": "2.0.8"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.6,
"vendor": "dovecot",
"version": "2.0.9"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.6,
"vendor": "dovecot",
"version": "2.0.7"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.0,
"vendor": "dovecot",
"version": "2.0.10"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.0,
"vendor": "dovecot",
"version": "2.0.11"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.0,
"vendor": "dovecot",
"version": "2.0.6"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.8,
"vendor": "timo sirainen",
"version": "2.0.13"
},
{
"model": "dovecot",
"scope": "lt",
"trust": 0.8,
"vendor": "timo sirainen",
"version": "2.0.x"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.6,
"vendor": "dovecot",
"version": "2.0.x"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "2.0"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "6.2"
},
{
"model": "linux",
"scope": null,
"trust": 0.3,
"vendor": "gentoo",
"version": null
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "6"
},
{
"model": "beta1",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "2.0"
},
{
"model": "dovecot",
"scope": "ne",
"trust": 0.3,
"vendor": "dovecot",
"version": "2.0.13"
},
{
"model": "centos",
"scope": "eq",
"trust": 0.3,
"vendor": "centos",
"version": "6"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2131"
},
{
"db": "BID",
"id": "48003"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004653"
},
{
"db": "NVD",
"id": "CVE-2011-2166"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-251"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2011-2166"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Reported by the vendor.",
"sources": [
{
"db": "BID",
"id": "48003"
}
],
"trust": 0.3
},
"cve": "CVE-2011-2166",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2011-2166",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2011-2166",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201105-251",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-004653"
},
{
"db": "NVD",
"id": "CVE-2011-2166"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-251"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script. Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems. Dovecot is prone to multiple security-bypass vulnerabilities because it fails to properly implement certain configuration settings. \nAuthenticated attackers can exploit these issues to bypass certain security restrictions and perform unauthorized actions. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Low: dovecot security and bug fix update\nAdvisory ID: RHSA-2013:0520-02\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://rhn.redhat.com/errata/RHSA-2013-0520.html\nIssue date: 2013-02-21\nCVE Names: CVE-2011-2166 CVE-2011-2167 CVE-2011-4318 \n=====================================================================\n\n1. Summary:\n\nUpdated dovecot packages that fix three security issues and one bug are now\navailable for Red Hat Enterprise Linux 6. \n\nThe Red Hat Security Response Team has rated this update as having low\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 6) - i386, x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64\n\n3. It\nsupports mail in either of maildir or mbox formats. The SQL drivers and\nauthentication plug-ins are provided as sub-packages. \n\nTwo flaws were found in the way some settings were enforced by the\nscript-login functionality of Dovecot. (CVE-2011-2166,\nCVE-2011-2167)\n\nA flaw was found in the way Dovecot performed remote server identity\nverification, when it was configured to proxy IMAP and POP3 connections to\nremote hosts using TLS/SSL protocols. A remote attacker could use this flaw\nto conduct man-in-the-middle attacks using an X.509 certificate issued by\na trusted Certificate Authority (for a different name). (CVE-2011-4318)\n\nThis update also fixes the following bug:\n\n* When a new user first accessed their IMAP inbox, Dovecot was, under some\ncircumstances, unable to change the group ownership of the inbox directory\nin the user\u0027s Maildir location to match that of the user\u0027s mail spool\n(/var/mail/$USER). This correctly generated an \"Internal error occurred\"\nmessage. However, with a subsequent attempt to access the inbox, Dovecot\nsaw that the directory already existed and proceeded with its operation,\nleaving the directory with incorrectly set permissions. This update\ncorrects the underlying permissions setting error. When a new user now\naccesses their inbox for the first time, and it is not possible to set\ngroup ownership, Dovecot removes the created directory and generates an\nerror message instead of keeping the directory with incorrect group\nownership. (BZ#697620)\n\nUsers of dovecot are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, the dovecot service will be restarted automatically. \n\n4. Solution:\n\nBefore applying this update, make sure all previously-released errata\nrelevant to your system have been applied. \n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258\n\n5. Package List:\n\nRed Hat Enterprise Linux Server (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm\n\ni386:\ndovecot-2.0.9-5.el6.i686.rpm\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-mysql-2.0.9-5.el6.i686.rpm\ndovecot-pgsql-2.0.9-5.el6.i686.rpm\ndovecot-pigeonhole-2.0.9-5.el6.i686.rpm\n\nppc64:\ndovecot-2.0.9-5.el6.ppc.rpm\ndovecot-2.0.9-5.el6.ppc64.rpm\ndovecot-debuginfo-2.0.9-5.el6.ppc.rpm\ndovecot-debuginfo-2.0.9-5.el6.ppc64.rpm\ndovecot-mysql-2.0.9-5.el6.ppc64.rpm\ndovecot-pgsql-2.0.9-5.el6.ppc64.rpm\ndovecot-pigeonhole-2.0.9-5.el6.ppc64.rpm\n\ns390x:\ndovecot-2.0.9-5.el6.s390.rpm\ndovecot-2.0.9-5.el6.s390x.rpm\ndovecot-debuginfo-2.0.9-5.el6.s390.rpm\ndovecot-debuginfo-2.0.9-5.el6.s390x.rpm\ndovecot-mysql-2.0.9-5.el6.s390x.rpm\ndovecot-pgsql-2.0.9-5.el6.s390x.rpm\ndovecot-pigeonhole-2.0.9-5.el6.s390x.rpm\n\nx86_64:\ndovecot-2.0.9-5.el6.i686.rpm\ndovecot-2.0.9-5.el6.x86_64.rpm\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-debuginfo-2.0.9-5.el6.x86_64.rpm\ndovecot-mysql-2.0.9-5.el6.x86_64.rpm\ndovecot-pgsql-2.0.9-5.el6.x86_64.rpm\ndovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm\n\ni386:\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-devel-2.0.9-5.el6.i686.rpm\n\nppc64:\ndovecot-debuginfo-2.0.9-5.el6.ppc64.rpm\ndovecot-devel-2.0.9-5.el6.ppc64.rpm\n\ns390x:\ndovecot-debuginfo-2.0.9-5.el6.s390x.rpm\ndovecot-devel-2.0.9-5.el6.s390x.rpm\n\nx86_64:\ndovecot-debuginfo-2.0.9-5.el6.x86_64.rpm\ndovecot-devel-2.0.9-5.el6.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm\n\ni386:\ndovecot-2.0.9-5.el6.i686.rpm\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-mysql-2.0.9-5.el6.i686.rpm\ndovecot-pgsql-2.0.9-5.el6.i686.rpm\ndovecot-pigeonhole-2.0.9-5.el6.i686.rpm\n\nx86_64:\ndovecot-2.0.9-5.el6.i686.rpm\ndovecot-2.0.9-5.el6.x86_64.rpm\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-debuginfo-2.0.9-5.el6.x86_64.rpm\ndovecot-mysql-2.0.9-5.el6.x86_64.rpm\ndovecot-pgsql-2.0.9-5.el6.x86_64.rpm\ndovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm\n\ni386:\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-devel-2.0.9-5.el6.i686.rpm\n\nx86_64:\ndovecot-debuginfo-2.0.9-5.el6.x86_64.rpm\ndovecot-devel-2.0.9-5.el6.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/#package\n\n7. References:\n\nhttps://www.redhat.com/security/data/cve/CVE-2011-2166.html\nhttps://www.redhat.com/security/data/cve/CVE-2011-2167.html\nhttps://www.redhat.com/security/data/cve/CVE-2011-4318.html\nhttps://access.redhat.com/security/updates/classification/#low\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2013 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.4 (GNU/Linux)\n\niD8DBQFRJcMBXlSAg2UNWIIRAsLkAKCVzudrg6y2jNbVu8TARQH65FPliACgpPzA\n3cvEfHEUoK/fdUBZNDEuZqU=\n=9rAE\n-----END PGP SIGNATURE-----\n\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 201110-04\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n http://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: High\n Title: Dovecot: Multiple vulnerabilities\n Date: October 10, 2011\n Bugs: #286844, #293954, #314533, #368653\n ID: 201110-04\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities were found in Dovecot, the worst of which\nallowing for remote execution of arbitrary code. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nA remote attacker could exploit these vulnerabilities to cause the\nremote execution of arbitrary code, or a Denial of Service condition,\nto conduct directory traversal attacks, corrupt data, or disclose\ninformation. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll Dovecot 1 users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-mail/dovecot-1.2.17\"\n\nAll Dovecot 2 users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-mail/dovecot-2.0.13\"\n\nNOTE: This is a legacy GLSA. Updates for all affected architectures are\navailable since May 28, 2011. It is likely that your system is already\nno longer affected by this issue. \n\nReferences\n==========\n\n[ 1 ] CVE-2009-3235\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3235\n[ 2 ] CVE-2009-3897\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897\n[ 3 ] CVE-2010-0745\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0745\n[ 4 ] CVE-2010-3304\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3304\n[ 5 ] CVE-2010-3706\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3706\n[ 6 ] CVE-2010-3707\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3707\n[ 7 ] CVE-2010-3779\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3779\n[ 8 ] CVE-2010-3780\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3780\n[ 9 ] CVE-2011-1929\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1929\n[ 10 ] CVE-2011-2166\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2166\n[ 11 ] CVE-2011-2167\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2167\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n http://security.gentoo.org/glsa/glsa-201110-04.xml\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2011 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2011-2166"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004653"
},
{
"db": "CNVD",
"id": "CNVD-2011-2131"
},
{
"db": "BID",
"id": "48003"
},
{
"db": "PACKETSTORM",
"id": "120446"
},
{
"db": "PACKETSTORM",
"id": "105652"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2011-2166",
"trust": 3.5
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2011/05/18/4",
"trust": 1.6
},
{
"db": "BID",
"id": "48003",
"trust": 1.3
},
{
"db": "SECUNIA",
"id": "52311",
"trust": 1.0
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004653",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2011-2131",
"trust": 0.6
},
{
"db": "MLIST",
"id": "[DOVECOT] 20110511 V2.0.13 RELEASED",
"trust": 0.6
},
{
"db": "MLIST",
"id": "[OSS-SECURITY] 20110518 DOVECOT RELEASES",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201105-251",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "120446",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "105652",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2131"
},
{
"db": "BID",
"id": "48003"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004653"
},
{
"db": "PACKETSTORM",
"id": "120446"
},
{
"db": "PACKETSTORM",
"id": "105652"
},
{
"db": "NVD",
"id": "CVE-2011-2166"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-251"
}
]
},
"id": "VAR-201105-0289",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2131"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2131"
}
]
},
"last_update_date": "2023-12-18T11:00:16.663000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "NEWS-2.0",
"trust": 0.8,
"url": "http://www.dovecot.org/doc/news-2.0"
},
{
"title": "Dovecot configuration error vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/4011"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2131"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004653"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-16",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-004653"
},
{
"db": "NVD",
"id": "CVE-2011-2166"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://dovecot.org/pipermail/dovecot/2011-may/059085.html"
},
{
"trust": 1.6,
"url": "http://openwall.com/lists/oss-security/2011/05/18/4"
},
{
"trust": 1.6,
"url": "http://www.dovecot.org/doc/news-2.0"
},
{
"trust": 1.1,
"url": "http://rhn.redhat.com/errata/rhsa-2013-0520.html"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/52311"
},
{
"trust": 1.0,
"url": "http://www.securityfocus.com/bid/48003"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67675"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-2166"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-2166"
},
{
"trust": 0.3,
"url": "http://www.dovecot.org/"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-2166"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#low"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/security/data/cve/cve-2011-4318.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/security/data/cve/cve-2011-2166.html"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/security/data/cve/cve-2011-2167.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/#package"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-4318"
},
{
"trust": 0.1,
"url": "http://bugzilla.redhat.com/):"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-2167"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/knowledge/articles/11258"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-1929"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3304"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3706"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-0745"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2009-3897"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3779"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-2167"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3707"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2009-3897"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3780"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-2166"
},
{
"trust": 0.1,
"url": "http://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2009-3235"
},
{
"trust": 0.1,
"url": "http://security.gentoo.org/glsa/glsa-201110-04.xml"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2009-3235"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2131"
},
{
"db": "BID",
"id": "48003"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004653"
},
{
"db": "PACKETSTORM",
"id": "120446"
},
{
"db": "PACKETSTORM",
"id": "105652"
},
{
"db": "NVD",
"id": "CVE-2011-2166"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-251"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2011-2131"
},
{
"db": "BID",
"id": "48003"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004653"
},
{
"db": "PACKETSTORM",
"id": "120446"
},
{
"db": "PACKETSTORM",
"id": "105652"
},
{
"db": "NVD",
"id": "CVE-2011-2166"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-251"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-06-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-2131"
},
{
"date": "2011-05-26T00:00:00",
"db": "BID",
"id": "48003"
},
{
"date": "2012-03-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-004653"
},
{
"date": "2013-02-21T16:28:44",
"db": "PACKETSTORM",
"id": "120446"
},
{
"date": "2011-10-10T22:42:12",
"db": "PACKETSTORM",
"id": "105652"
},
{
"date": "2011-05-24T23:55:04.433000",
"db": "NVD",
"id": "CVE-2011-2166"
},
{
"date": "2011-05-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201105-251"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-06-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-2131"
},
{
"date": "2013-03-11T06:54:00",
"db": "BID",
"id": "48003"
},
{
"date": "2012-03-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-004653"
},
{
"date": "2017-08-29T01:29:19.190000",
"db": "NVD",
"id": "CVE-2011-2166"
},
{
"date": "2011-05-26T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201105-251"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "120446"
},
{
"db": "PACKETSTORM",
"id": "105652"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-251"
}
],
"trust": 0.8
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Dovecot of script-login Vulnerable to access restrictions",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-004653"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "configuration error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201105-251"
}
],
"trust": 0.6
}
}
var-201003-0202
Vulnerability from variot
Dovecot in Apple Mac OS X 10.6 before 10.6.3, when Kerberos is enabled, does not properly enforce the service access control list (SACL) for sending and receiving e-mail, which allows remote authenticated users to bypass intended access restrictions via unspecified vectors. Dovecot is prone to a security-bypass vulnerability. An authenticated attacker may perform unauthorized email actions. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Mac OS X is the operating system used by the Apple family of machines. Permissions and access control vulnerabilities exist in Dovecot for Apple Mac OS
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201003-0202",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.1"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.0"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.1"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.2"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.2"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "10.6.0"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "v10.6 to v10.6.2"
},
{
"model": "mac os x server",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "v10.6 to v10.6.2"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.2.8"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.2.7"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.1.6"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.1.5"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.1.4"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.0.15"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.0.13"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.0.12"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.0.11"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.0.10"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.0.9"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.0.8"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.0.7"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.0.6"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.0.5"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.0.4"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.0.3"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.2"
},
{
"model": "1.1rc3",
"scope": null,
"trust": 0.3,
"vendor": "dovecot",
"version": null
},
{
"model": "1.1rc2",
"scope": null,
"trust": 0.3,
"vendor": "dovecot",
"version": null
},
{
"model": "1.0.rc9",
"scope": null,
"trust": 0.3,
"vendor": "dovecot",
"version": null
},
{
"model": "1.0.rc8",
"scope": null,
"trust": 0.3,
"vendor": "dovecot",
"version": null
},
{
"model": "1.0.rc7",
"scope": null,
"trust": 0.3,
"vendor": "dovecot",
"version": null
},
{
"model": "1.0.rc6",
"scope": null,
"trust": 0.3,
"vendor": "dovecot",
"version": null
},
{
"model": "1.0.rc5",
"scope": null,
"trust": 0.3,
"vendor": "dovecot",
"version": null
},
{
"model": "1.0.rc4",
"scope": null,
"trust": 0.3,
"vendor": "dovecot",
"version": null
},
{
"model": "1.0.rc3",
"scope": null,
"trust": 0.3,
"vendor": "dovecot",
"version": null
},
{
"model": "1.0.rc2",
"scope": null,
"trust": 0.3,
"vendor": "dovecot",
"version": null
},
{
"model": "1.0.rc15",
"scope": null,
"trust": 0.3,
"vendor": "dovecot",
"version": null
},
{
"model": "1.0.rc14",
"scope": null,
"trust": 0.3,
"vendor": "dovecot",
"version": null
},
{
"model": "1.0.rc13",
"scope": null,
"trust": 0.3,
"vendor": "dovecot",
"version": null
},
{
"model": "1.0.rc12",
"scope": null,
"trust": 0.3,
"vendor": "dovecot",
"version": null
},
{
"model": "1.0.rc11",
"scope": null,
"trust": 0.3,
"vendor": "dovecot",
"version": null
},
{
"model": "1.0.rc10",
"scope": null,
"trust": 0.3,
"vendor": "dovecot",
"version": null
},
{
"model": "1.0.beta3",
"scope": null,
"trust": 0.3,
"vendor": "dovecot",
"version": null
},
{
"model": "1.0.beta2",
"scope": null,
"trust": 0.3,
"vendor": "dovecot",
"version": null
},
{
"model": "rc29",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.0"
},
{
"model": "rc1",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.0"
},
{
"model": "beta8",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.0"
},
{
"model": "beta7",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.0"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.0"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.2"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.2"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6"
},
{
"model": "mac os server",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.3"
},
{
"model": "mac os",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.3"
}
],
"sources": [
{
"db": "BID",
"id": "39258"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001253"
},
{
"db": "NVD",
"id": "CVE-2010-0535"
},
{
"db": "CNNVD",
"id": "CNNVD-201003-491"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:apple:mac_os_x_server:10.6.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.6.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:apple:mac_os_x:10.6.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:apple:mac_os_x_server:10.6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:apple:mac_os_x_server:10.6.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2010-0535"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Michael KisorDamian Put\u203b pucik@cc-team.org",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201003-491"
}
],
"trust": 0.6
},
"cve": "CVE-2010-0535",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2010-0535",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "VHN-43140",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:S/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2010-0535",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201003-491",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-43140",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-43140"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001253"
},
{
"db": "NVD",
"id": "CVE-2010-0535"
},
{
"db": "CNNVD",
"id": "CNNVD-201003-491"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Dovecot in Apple Mac OS X 10.6 before 10.6.3, when Kerberos is enabled, does not properly enforce the service access control list (SACL) for sending and receiving e-mail, which allows remote authenticated users to bypass intended access restrictions via unspecified vectors. Dovecot is prone to a security-bypass vulnerability. \nAn authenticated attacker may perform unauthorized email actions. \nNOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Mac OS X is the operating system used by the Apple family of machines. Permissions and access control vulnerabilities exist in Dovecot for Apple Mac OS",
"sources": [
{
"db": "NVD",
"id": "CVE-2010-0535"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001253"
},
{
"db": "BID",
"id": "39258"
},
{
"db": "VULHUB",
"id": "VHN-43140"
}
],
"trust": 1.98
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2010-0535",
"trust": 2.8
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001253",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201003-491",
"trust": 0.7
},
{
"db": "NSFOCUS",
"id": "14715",
"trust": 0.6
},
{
"db": "APPLE",
"id": "APPLE-SA-2010-03-29-1",
"trust": 0.6
},
{
"db": "BID",
"id": "39258",
"trust": 0.4
},
{
"db": "VULHUB",
"id": "VHN-43140",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-43140"
},
{
"db": "BID",
"id": "39258"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001253"
},
{
"db": "NVD",
"id": "CVE-2010-0535"
},
{
"db": "CNNVD",
"id": "CNNVD-201003-491"
}
]
},
"id": "VAR-201003-0202",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-43140"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T11:52:46.802000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "HT4077",
"trust": 0.8,
"url": "http://support.apple.com/kb/ht4077"
},
{
"title": "HT4077",
"trust": 0.8,
"url": "http://support.apple.com/kb/ht4077?viewlocale=ja_jp"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-001253"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-264",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-43140"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001253"
},
{
"db": "NVD",
"id": "CVE-2010-0535"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://lists.apple.com/archives/security-announce/2010//mar/msg00001.html"
},
{
"trust": 1.7,
"url": "http://support.apple.com/kb/ht4077"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-0535"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-0535"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/14715"
},
{
"trust": 0.3,
"url": "http://www.dovecot.org/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-43140"
},
{
"db": "BID",
"id": "39258"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001253"
},
{
"db": "NVD",
"id": "CVE-2010-0535"
},
{
"db": "CNNVD",
"id": "CNNVD-201003-491"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-43140"
},
{
"db": "BID",
"id": "39258"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001253"
},
{
"db": "NVD",
"id": "CVE-2010-0535"
},
{
"db": "CNNVD",
"id": "CNNVD-201003-491"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-03-30T00:00:00",
"db": "VULHUB",
"id": "VHN-43140"
},
{
"date": "2010-03-29T00:00:00",
"db": "BID",
"id": "39258"
},
{
"date": "2010-04-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-001253"
},
{
"date": "2010-03-30T18:30:01.407000",
"db": "NVD",
"id": "CVE-2010-0535"
},
{
"date": "2010-03-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201003-491"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-06-21T00:00:00",
"db": "VULHUB",
"id": "VHN-43140"
},
{
"date": "2010-03-29T00:00:00",
"db": "BID",
"id": "39258"
},
{
"date": "2010-04-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-001253"
},
{
"date": "2010-06-21T04:00:00",
"db": "NVD",
"id": "CVE-2010-0535"
},
{
"date": "2010-04-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201003-491"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201003-491"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apple Mac OS X of Dovecot Vulnerable to access restrictions",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-001253"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "permissions and access control",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201003-491"
}
],
"trust": 0.6
}
}
var-201105-0290
Vulnerability from variot
script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script. Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems. The script-login in version 2.0.x prior to Dovecot 2.0.13 did not follow the chroot configuration. Dovecot is prone to multiple security-bypass vulnerabilities because it fails to properly implement certain configuration settings. Authenticated attackers can exploit these issues to bypass certain security restrictions and perform unauthorized actions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Low: dovecot security and bug fix update Advisory ID: RHSA-2013:0520-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0520.html Issue date: 2013-02-21 CVE Names: CVE-2011-2166 CVE-2011-2167 CVE-2011-4318 =====================================================================
- Summary:
Updated dovecot packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
- It supports mail in either of maildir or mbox formats. The SQL drivers and authentication plug-ins are provided as sub-packages.
Two flaws were found in the way some settings were enforced by the script-login functionality of Dovecot. (CVE-2011-2166, CVE-2011-2167)
A flaw was found in the way Dovecot performed remote server identity verification, when it was configured to proxy IMAP and POP3 connections to remote hosts using TLS/SSL protocols. A remote attacker could use this flaw to conduct man-in-the-middle attacks using an X.509 certificate issued by a trusted Certificate Authority (for a different name). (CVE-2011-4318)
This update also fixes the following bug:
- When a new user first accessed their IMAP inbox, Dovecot was, under some circumstances, unable to change the group ownership of the inbox directory in the user's Maildir location to match that of the user's mail spool (/var/mail/$USER). This correctly generated an "Internal error occurred" message. However, with a subsequent attempt to access the inbox, Dovecot saw that the directory already existed and proceeded with its operation, leaving the directory with incorrectly set permissions. This update corrects the underlying permissions setting error. When a new user now accesses their inbox for the first time, and it is not possible to set group ownership, Dovecot removes the created directory and generates an error message instead of keeping the directory with incorrect group ownership. (BZ#697620)
Users of dovecot are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the dovecot service will be restarted automatically.
- Solution:
Before applying this update, make sure all previously-released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258
- Bugs fixed (http://bugzilla.redhat.com/):
709095 - CVE-2011-2166 dovecot: authenticated remote bypass of intended access restrictions 709097 - CVE-2011-2167 dovecot: directory traversal due to not obeying chroot directive 754980 - CVE-2011-4318 dovecot: proxy destination host name not checked against SSL certificate name
- Package List:
Red Hat Enterprise Linux Server (v. 6):
Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm
i386: dovecot-2.0.9-5.el6.i686.rpm dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-mysql-2.0.9-5.el6.i686.rpm dovecot-pgsql-2.0.9-5.el6.i686.rpm dovecot-pigeonhole-2.0.9-5.el6.i686.rpm
ppc64: dovecot-2.0.9-5.el6.ppc.rpm dovecot-2.0.9-5.el6.ppc64.rpm dovecot-debuginfo-2.0.9-5.el6.ppc.rpm dovecot-debuginfo-2.0.9-5.el6.ppc64.rpm dovecot-mysql-2.0.9-5.el6.ppc64.rpm dovecot-pgsql-2.0.9-5.el6.ppc64.rpm dovecot-pigeonhole-2.0.9-5.el6.ppc64.rpm
s390x: dovecot-2.0.9-5.el6.s390.rpm dovecot-2.0.9-5.el6.s390x.rpm dovecot-debuginfo-2.0.9-5.el6.s390.rpm dovecot-debuginfo-2.0.9-5.el6.s390x.rpm dovecot-mysql-2.0.9-5.el6.s390x.rpm dovecot-pgsql-2.0.9-5.el6.s390x.rpm dovecot-pigeonhole-2.0.9-5.el6.s390x.rpm
x86_64: dovecot-2.0.9-5.el6.i686.rpm dovecot-2.0.9-5.el6.x86_64.rpm dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm dovecot-mysql-2.0.9-5.el6.x86_64.rpm dovecot-pgsql-2.0.9-5.el6.x86_64.rpm dovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm
i386: dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-devel-2.0.9-5.el6.i686.rpm
ppc64: dovecot-debuginfo-2.0.9-5.el6.ppc64.rpm dovecot-devel-2.0.9-5.el6.ppc64.rpm
s390x: dovecot-debuginfo-2.0.9-5.el6.s390x.rpm dovecot-devel-2.0.9-5.el6.s390x.rpm
x86_64: dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm dovecot-devel-2.0.9-5.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm
i386: dovecot-2.0.9-5.el6.i686.rpm dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-mysql-2.0.9-5.el6.i686.rpm dovecot-pgsql-2.0.9-5.el6.i686.rpm dovecot-pigeonhole-2.0.9-5.el6.i686.rpm
x86_64: dovecot-2.0.9-5.el6.i686.rpm dovecot-2.0.9-5.el6.x86_64.rpm dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm dovecot-mysql-2.0.9-5.el6.x86_64.rpm dovecot-pgsql-2.0.9-5.el6.x86_64.rpm dovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm
i386: dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-devel-2.0.9-5.el6.i686.rpm
x86_64: dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm dovecot-devel-2.0.9-5.el6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package
- References:
https://www.redhat.com/security/data/cve/CVE-2011-2166.html https://www.redhat.com/security/data/cve/CVE-2011-2167.html https://www.redhat.com/security/data/cve/CVE-2011-4318.html https://access.redhat.com/security/updates/classification/#low
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJcMBXlSAg2UNWIIRAsLkAKCVzudrg6y2jNbVu8TARQH65FPliACgpPzA 3cvEfHEUoK/fdUBZNDEuZqU= =9rAE -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-04
http://security.gentoo.org/
Severity: High Title: Dovecot: Multiple vulnerabilities Date: October 10, 2011 Bugs: #286844, #293954, #314533, #368653 ID: 201110-04
Synopsis
Multiple vulnerabilities were found in Dovecot, the worst of which allowing for remote execution of arbitrary code. Please review the CVE identifiers referenced below for details.
Impact
A remote attacker could exploit these vulnerabilities to cause the remote execution of arbitrary code, or a Denial of Service condition, to conduct directory traversal attacks, corrupt data, or disclose information.
Workaround
There is no known workaround at this time.
Resolution
All Dovecot 1 users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/dovecot-1.2.17"
All Dovecot 2 users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.0.13"
NOTE: This is a legacy GLSA. Updates for all affected architectures are available since May 28, 2011. It is likely that your system is already no longer affected by this issue.
References
[ 1 ] CVE-2009-3235 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3235 [ 2 ] CVE-2009-3897 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897 [ 3 ] CVE-2010-0745 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0745 [ 4 ] CVE-2010-3304 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3304 [ 5 ] CVE-2010-3706 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3706 [ 6 ] CVE-2010-3707 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3707 [ 7 ] CVE-2010-3779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3779 [ 8 ] CVE-2010-3780 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3780 [ 9 ] CVE-2011-1929 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1929 [ 10 ] CVE-2011-2166 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2166 [ 11 ] CVE-2011-2167 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2167
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-04.xml
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201105-0290",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dovecot",
"scope": "eq",
"trust": 1.9,
"vendor": "dovecot",
"version": "2.0.12"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.9,
"vendor": "dovecot",
"version": "2.0.3"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.9,
"vendor": "dovecot",
"version": "2.0.5"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.9,
"vendor": "dovecot",
"version": "2.0.0"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.9,
"vendor": "dovecot",
"version": "2.0.1"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.9,
"vendor": "dovecot",
"version": "2.0.2"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.9,
"vendor": "dovecot",
"version": "2.0.4"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.6,
"vendor": "dovecot",
"version": "2.0.8"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.6,
"vendor": "dovecot",
"version": "2.0.9"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.6,
"vendor": "dovecot",
"version": "2.0.7"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.0,
"vendor": "dovecot",
"version": "2.0.10"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.0,
"vendor": "dovecot",
"version": "2.0.11"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.0,
"vendor": "dovecot",
"version": "2.0.6"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.8,
"vendor": "timo sirainen",
"version": "2.0.13"
},
{
"model": "dovecot",
"scope": "lt",
"trust": 0.8,
"vendor": "timo sirainen",
"version": "2.0.x"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.6,
"vendor": "dovecot",
"version": "2.0.x"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "2.0"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "6.2"
},
{
"model": "linux",
"scope": null,
"trust": 0.3,
"vendor": "gentoo",
"version": null
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "6"
},
{
"model": "beta1",
"scope": "eq",
"trust": 0.3,
"vendor": "dovecot",
"version": "2.0"
},
{
"model": "dovecot",
"scope": "ne",
"trust": 0.3,
"vendor": "dovecot",
"version": "2.0.13"
},
{
"model": "centos",
"scope": "eq",
"trust": 0.3,
"vendor": "centos",
"version": "6"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2129"
},
{
"db": "BID",
"id": "48003"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004654"
},
{
"db": "NVD",
"id": "CVE-2011-2167"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-252"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2011-2167"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Reported by the vendor.",
"sources": [
{
"db": "BID",
"id": "48003"
}
],
"trust": 0.3
},
"cve": "CVE-2011-2167",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2011-2167",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2011-2167",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201105-252",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-004654"
},
{
"db": "NVD",
"id": "CVE-2011-2167"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-252"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script. Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems. The script-login in version 2.0.x prior to Dovecot 2.0.13 did not follow the chroot configuration. Dovecot is prone to multiple security-bypass vulnerabilities because it fails to properly implement certain configuration settings. \nAuthenticated attackers can exploit these issues to bypass certain security restrictions and perform unauthorized actions. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Low: dovecot security and bug fix update\nAdvisory ID: RHSA-2013:0520-02\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://rhn.redhat.com/errata/RHSA-2013-0520.html\nIssue date: 2013-02-21\nCVE Names: CVE-2011-2166 CVE-2011-2167 CVE-2011-4318 \n=====================================================================\n\n1. Summary:\n\nUpdated dovecot packages that fix three security issues and one bug are now\navailable for Red Hat Enterprise Linux 6. \n\nThe Red Hat Security Response Team has rated this update as having low\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 6) - i386, x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64\n\n3. It\nsupports mail in either of maildir or mbox formats. The SQL drivers and\nauthentication plug-ins are provided as sub-packages. \n\nTwo flaws were found in the way some settings were enforced by the\nscript-login functionality of Dovecot. (CVE-2011-2166,\nCVE-2011-2167)\n\nA flaw was found in the way Dovecot performed remote server identity\nverification, when it was configured to proxy IMAP and POP3 connections to\nremote hosts using TLS/SSL protocols. A remote attacker could use this flaw\nto conduct man-in-the-middle attacks using an X.509 certificate issued by\na trusted Certificate Authority (for a different name). (CVE-2011-4318)\n\nThis update also fixes the following bug:\n\n* When a new user first accessed their IMAP inbox, Dovecot was, under some\ncircumstances, unable to change the group ownership of the inbox directory\nin the user\u0027s Maildir location to match that of the user\u0027s mail spool\n(/var/mail/$USER). This correctly generated an \"Internal error occurred\"\nmessage. However, with a subsequent attempt to access the inbox, Dovecot\nsaw that the directory already existed and proceeded with its operation,\nleaving the directory with incorrectly set permissions. This update\ncorrects the underlying permissions setting error. When a new user now\naccesses their inbox for the first time, and it is not possible to set\ngroup ownership, Dovecot removes the created directory and generates an\nerror message instead of keeping the directory with incorrect group\nownership. (BZ#697620)\n\nUsers of dovecot are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, the dovecot service will be restarted automatically. \n\n4. Solution:\n\nBefore applying this update, make sure all previously-released errata\nrelevant to your system have been applied. \n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258\n\n5. Bugs fixed (http://bugzilla.redhat.com/):\n\n709095 - CVE-2011-2166 dovecot: authenticated remote bypass of intended access restrictions\n709097 - CVE-2011-2167 dovecot: directory traversal due to not obeying chroot directive\n754980 - CVE-2011-4318 dovecot: proxy destination host name not checked against SSL certificate name\n\n6. Package List:\n\nRed Hat Enterprise Linux Server (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm\n\ni386:\ndovecot-2.0.9-5.el6.i686.rpm\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-mysql-2.0.9-5.el6.i686.rpm\ndovecot-pgsql-2.0.9-5.el6.i686.rpm\ndovecot-pigeonhole-2.0.9-5.el6.i686.rpm\n\nppc64:\ndovecot-2.0.9-5.el6.ppc.rpm\ndovecot-2.0.9-5.el6.ppc64.rpm\ndovecot-debuginfo-2.0.9-5.el6.ppc.rpm\ndovecot-debuginfo-2.0.9-5.el6.ppc64.rpm\ndovecot-mysql-2.0.9-5.el6.ppc64.rpm\ndovecot-pgsql-2.0.9-5.el6.ppc64.rpm\ndovecot-pigeonhole-2.0.9-5.el6.ppc64.rpm\n\ns390x:\ndovecot-2.0.9-5.el6.s390.rpm\ndovecot-2.0.9-5.el6.s390x.rpm\ndovecot-debuginfo-2.0.9-5.el6.s390.rpm\ndovecot-debuginfo-2.0.9-5.el6.s390x.rpm\ndovecot-mysql-2.0.9-5.el6.s390x.rpm\ndovecot-pgsql-2.0.9-5.el6.s390x.rpm\ndovecot-pigeonhole-2.0.9-5.el6.s390x.rpm\n\nx86_64:\ndovecot-2.0.9-5.el6.i686.rpm\ndovecot-2.0.9-5.el6.x86_64.rpm\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-debuginfo-2.0.9-5.el6.x86_64.rpm\ndovecot-mysql-2.0.9-5.el6.x86_64.rpm\ndovecot-pgsql-2.0.9-5.el6.x86_64.rpm\ndovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm\n\ni386:\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-devel-2.0.9-5.el6.i686.rpm\n\nppc64:\ndovecot-debuginfo-2.0.9-5.el6.ppc64.rpm\ndovecot-devel-2.0.9-5.el6.ppc64.rpm\n\ns390x:\ndovecot-debuginfo-2.0.9-5.el6.s390x.rpm\ndovecot-devel-2.0.9-5.el6.s390x.rpm\n\nx86_64:\ndovecot-debuginfo-2.0.9-5.el6.x86_64.rpm\ndovecot-devel-2.0.9-5.el6.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm\n\ni386:\ndovecot-2.0.9-5.el6.i686.rpm\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-mysql-2.0.9-5.el6.i686.rpm\ndovecot-pgsql-2.0.9-5.el6.i686.rpm\ndovecot-pigeonhole-2.0.9-5.el6.i686.rpm\n\nx86_64:\ndovecot-2.0.9-5.el6.i686.rpm\ndovecot-2.0.9-5.el6.x86_64.rpm\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-debuginfo-2.0.9-5.el6.x86_64.rpm\ndovecot-mysql-2.0.9-5.el6.x86_64.rpm\ndovecot-pgsql-2.0.9-5.el6.x86_64.rpm\ndovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm\n\ni386:\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-devel-2.0.9-5.el6.i686.rpm\n\nx86_64:\ndovecot-debuginfo-2.0.9-5.el6.x86_64.rpm\ndovecot-devel-2.0.9-5.el6.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/#package\n\n7. References:\n\nhttps://www.redhat.com/security/data/cve/CVE-2011-2166.html\nhttps://www.redhat.com/security/data/cve/CVE-2011-2167.html\nhttps://www.redhat.com/security/data/cve/CVE-2011-4318.html\nhttps://access.redhat.com/security/updates/classification/#low\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2013 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.4 (GNU/Linux)\n\niD8DBQFRJcMBXlSAg2UNWIIRAsLkAKCVzudrg6y2jNbVu8TARQH65FPliACgpPzA\n3cvEfHEUoK/fdUBZNDEuZqU=\n=9rAE\n-----END PGP SIGNATURE-----\n\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 201110-04\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n http://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: High\n Title: Dovecot: Multiple vulnerabilities\n Date: October 10, 2011\n Bugs: #286844, #293954, #314533, #368653\n ID: 201110-04\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities were found in Dovecot, the worst of which\nallowing for remote execution of arbitrary code. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nA remote attacker could exploit these vulnerabilities to cause the\nremote execution of arbitrary code, or a Denial of Service condition,\nto conduct directory traversal attacks, corrupt data, or disclose\ninformation. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll Dovecot 1 users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-mail/dovecot-1.2.17\"\n\nAll Dovecot 2 users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-mail/dovecot-2.0.13\"\n\nNOTE: This is a legacy GLSA. Updates for all affected architectures are\navailable since May 28, 2011. It is likely that your system is already\nno longer affected by this issue. \n\nReferences\n==========\n\n[ 1 ] CVE-2009-3235\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3235\n[ 2 ] CVE-2009-3897\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897\n[ 3 ] CVE-2010-0745\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0745\n[ 4 ] CVE-2010-3304\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3304\n[ 5 ] CVE-2010-3706\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3706\n[ 6 ] CVE-2010-3707\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3707\n[ 7 ] CVE-2010-3779\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3779\n[ 8 ] CVE-2010-3780\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3780\n[ 9 ] CVE-2011-1929\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1929\n[ 10 ] CVE-2011-2166\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2166\n[ 11 ] CVE-2011-2167\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2167\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n http://security.gentoo.org/glsa/glsa-201110-04.xml\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2011 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2011-2167"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004654"
},
{
"db": "CNVD",
"id": "CNVD-2011-2129"
},
{
"db": "BID",
"id": "48003"
},
{
"db": "PACKETSTORM",
"id": "120446"
},
{
"db": "PACKETSTORM",
"id": "105652"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2011-2167",
"trust": 3.5
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2011/05/18/4",
"trust": 1.6
},
{
"db": "BID",
"id": "48003",
"trust": 1.3
},
{
"db": "SECUNIA",
"id": "52311",
"trust": 1.0
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004654",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2011-2129",
"trust": 0.6
},
{
"db": "MLIST",
"id": "[DOVECOT] 20110511 V2.0.13 RELEASED",
"trust": 0.6
},
{
"db": "MLIST",
"id": "[OSS-SECURITY] 20110518 DOVECOT RELEASES",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201105-252",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "120446",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "105652",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2129"
},
{
"db": "BID",
"id": "48003"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004654"
},
{
"db": "PACKETSTORM",
"id": "120446"
},
{
"db": "PACKETSTORM",
"id": "105652"
},
{
"db": "NVD",
"id": "CVE-2011-2167"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-252"
}
]
},
"id": "VAR-201105-0290",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2129"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2129"
}
]
},
"last_update_date": "2023-12-18T10:58:27.827000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "NEWS-2.0",
"trust": 0.8,
"url": "http://www.dovecot.org/doc/news-2.0"
},
{
"title": "Dovecot directory traversal vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/4009"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2129"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004654"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-22",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-004654"
},
{
"db": "NVD",
"id": "CVE-2011-2167"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://dovecot.org/pipermail/dovecot/2011-may/059085.html"
},
{
"trust": 1.6,
"url": "http://openwall.com/lists/oss-security/2011/05/18/4"
},
{
"trust": 1.6,
"url": "http://www.dovecot.org/doc/news-2.0"
},
{
"trust": 1.1,
"url": "http://rhn.redhat.com/errata/rhsa-2013-0520.html"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/52311"
},
{
"trust": 1.0,
"url": "http://www.securityfocus.com/bid/48003"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67674"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-2167"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-2167"
},
{
"trust": 0.3,
"url": "http://www.dovecot.org/"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-2166"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#low"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/security/data/cve/cve-2011-4318.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/security/data/cve/cve-2011-2166.html"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/security/data/cve/cve-2011-2167.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/#package"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-4318"
},
{
"trust": 0.1,
"url": "http://bugzilla.redhat.com/):"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-2167"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/knowledge/articles/11258"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-1929"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3304"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3706"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-0745"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2009-3897"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3779"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-2167"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3707"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2009-3897"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3780"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-2166"
},
{
"trust": 0.1,
"url": "http://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2009-3235"
},
{
"trust": 0.1,
"url": "http://security.gentoo.org/glsa/glsa-201110-04.xml"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2009-3235"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2129"
},
{
"db": "BID",
"id": "48003"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004654"
},
{
"db": "PACKETSTORM",
"id": "120446"
},
{
"db": "PACKETSTORM",
"id": "105652"
},
{
"db": "NVD",
"id": "CVE-2011-2167"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-252"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2011-2129"
},
{
"db": "BID",
"id": "48003"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004654"
},
{
"db": "PACKETSTORM",
"id": "120446"
},
{
"db": "PACKETSTORM",
"id": "105652"
},
{
"db": "NVD",
"id": "CVE-2011-2167"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-252"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-06-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-2129"
},
{
"date": "2011-05-26T00:00:00",
"db": "BID",
"id": "48003"
},
{
"date": "2012-03-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-004654"
},
{
"date": "2013-02-21T16:28:44",
"db": "PACKETSTORM",
"id": "120446"
},
{
"date": "2011-10-10T22:42:12",
"db": "PACKETSTORM",
"id": "105652"
},
{
"date": "2011-05-24T23:55:04.480000",
"db": "NVD",
"id": "CVE-2011-2167"
},
{
"date": "2011-05-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201105-252"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-06-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-2129"
},
{
"date": "2013-03-11T06:54:00",
"db": "BID",
"id": "48003"
},
{
"date": "2012-03-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-004654"
},
{
"date": "2017-08-29T01:29:19.253000",
"db": "NVD",
"id": "CVE-2011-2167"
},
{
"date": "2011-05-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201105-252"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "120446"
},
{
"db": "PACKETSTORM",
"id": "105652"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-252"
}
],
"trust": 0.8
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Dovecot of script-login Vulnerable to performing a direct traversal attack",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-004654"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "path traversal",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201105-252"
}
],
"trust": 0.6
}
}
var-201105-0095
Vulnerability from variot
lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle '\0' characters in header names, which allows remote attackers to cause a denial of service (daemon crash or mailbox corruption) via a crafted e-mail message. Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems. Dovecot is prone to a denial-of-service vulnerability because it fails to properly parse message headers. A remote attacker can exploit this issue to crash the affected application, denying service to legitimate users. Dovecot versions prior to 1.2.17 and 2.0.13 are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: dovecot security update Advisory ID: RHSA-2011:1187-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1187.html Issue date: 2011-08-18 CVE Names: CVE-2011-1929 =====================================================================
- Summary:
Updated dovecot packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
- Relevant releases/architectures:
RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
- (CVE-2011-1929)
Users of dovecot are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the dovecot service will be restarted automatically.
- Solution:
Before applying this update, make sure all previously-released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259
- Bugs fixed (http://bugzilla.redhat.com/):
706286 - CVE-2011-1929 dovecot: potential crash when parsing header names that contain NUL characters
- Package List:
Red Hat Enterprise Linux AS version 4:
Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm
i386: dovecot-0.99.11-10.EL4.i386.rpm dovecot-debuginfo-0.99.11-10.EL4.i386.rpm
ia64: dovecot-0.99.11-10.EL4.ia64.rpm dovecot-debuginfo-0.99.11-10.EL4.ia64.rpm
ppc: dovecot-0.99.11-10.EL4.ppc.rpm dovecot-debuginfo-0.99.11-10.EL4.ppc.rpm
s390: dovecot-0.99.11-10.EL4.s390.rpm dovecot-debuginfo-0.99.11-10.EL4.s390.rpm
s390x: dovecot-0.99.11-10.EL4.s390x.rpm dovecot-debuginfo-0.99.11-10.EL4.s390x.rpm
x86_64: dovecot-0.99.11-10.EL4.x86_64.rpm dovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm
Red Hat Enterprise Linux Desktop version 4:
Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm
i386: dovecot-0.99.11-10.EL4.i386.rpm dovecot-debuginfo-0.99.11-10.EL4.i386.rpm
x86_64: dovecot-0.99.11-10.EL4.x86_64.rpm dovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm
Red Hat Enterprise Linux ES version 4:
Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm
i386: dovecot-0.99.11-10.EL4.i386.rpm dovecot-debuginfo-0.99.11-10.EL4.i386.rpm
ia64: dovecot-0.99.11-10.EL4.ia64.rpm dovecot-debuginfo-0.99.11-10.EL4.ia64.rpm
x86_64: dovecot-0.99.11-10.EL4.x86_64.rpm dovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm
Red Hat Enterprise Linux WS version 4:
Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm
i386: dovecot-0.99.11-10.EL4.i386.rpm dovecot-debuginfo-0.99.11-10.EL4.i386.rpm
ia64: dovecot-0.99.11-10.EL4.ia64.rpm dovecot-debuginfo-0.99.11-10.EL4.ia64.rpm
x86_64: dovecot-0.99.11-10.EL4.x86_64.rpm dovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm
RHEL Desktop Workstation (v. 5 client):
Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/dovecot-1.0.7-7.el5_7.1.src.rpm
i386: dovecot-1.0.7-7.el5_7.1.i386.rpm dovecot-debuginfo-1.0.7-7.el5_7.1.i386.rpm
x86_64: dovecot-1.0.7-7.el5_7.1.x86_64.rpm dovecot-debuginfo-1.0.7-7.el5_7.1.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/dovecot-1.0.7-7.el5_7.1.src.rpm
i386: dovecot-1.0.7-7.el5_7.1.i386.rpm dovecot-debuginfo-1.0.7-7.el5_7.1.i386.rpm
ia64: dovecot-1.0.7-7.el5_7.1.ia64.rpm dovecot-debuginfo-1.0.7-7.el5_7.1.ia64.rpm
ppc: dovecot-1.0.7-7.el5_7.1.ppc.rpm dovecot-debuginfo-1.0.7-7.el5_7.1.ppc.rpm
s390x: dovecot-1.0.7-7.el5_7.1.s390x.rpm dovecot-debuginfo-1.0.7-7.el5_7.1.s390x.rpm
x86_64: dovecot-1.0.7-7.el5_7.1.x86_64.rpm dovecot-debuginfo-1.0.7-7.el5_7.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm
i386: dovecot-2.0.9-2.el6_1.1.i686.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm dovecot-mysql-2.0.9-2.el6_1.1.i686.rpm dovecot-pgsql-2.0.9-2.el6_1.1.i686.rpm dovecot-pigeonhole-2.0.9-2.el6_1.1.i686.rpm
ppc64: dovecot-2.0.9-2.el6_1.1.ppc.rpm dovecot-2.0.9-2.el6_1.1.ppc64.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.ppc.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.ppc64.rpm dovecot-mysql-2.0.9-2.el6_1.1.ppc64.rpm dovecot-pgsql-2.0.9-2.el6_1.1.ppc64.rpm dovecot-pigeonhole-2.0.9-2.el6_1.1.ppc64.rpm
s390x: dovecot-2.0.9-2.el6_1.1.s390.rpm dovecot-2.0.9-2.el6_1.1.s390x.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.s390.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.s390x.rpm dovecot-mysql-2.0.9-2.el6_1.1.s390x.rpm dovecot-pgsql-2.0.9-2.el6_1.1.s390x.rpm dovecot-pigeonhole-2.0.9-2.el6_1.1.s390x.rpm
x86_64: dovecot-2.0.9-2.el6_1.1.i686.rpm dovecot-2.0.9-2.el6_1.1.x86_64.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm dovecot-mysql-2.0.9-2.el6_1.1.x86_64.rpm dovecot-pgsql-2.0.9-2.el6_1.1.x86_64.rpm dovecot-pigeonhole-2.0.9-2.el6_1.1.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm
i386: dovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm dovecot-devel-2.0.9-2.el6_1.1.i686.rpm
ppc64: dovecot-debuginfo-2.0.9-2.el6_1.1.ppc64.rpm dovecot-devel-2.0.9-2.el6_1.1.ppc64.rpm
s390x: dovecot-debuginfo-2.0.9-2.el6_1.1.s390x.rpm dovecot-devel-2.0.9-2.el6_1.1.s390x.rpm
x86_64: dovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm dovecot-devel-2.0.9-2.el6_1.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm
i386: dovecot-2.0.9-2.el6_1.1.i686.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm dovecot-mysql-2.0.9-2.el6_1.1.i686.rpm dovecot-pgsql-2.0.9-2.el6_1.1.i686.rpm dovecot-pigeonhole-2.0.9-2.el6_1.1.i686.rpm
x86_64: dovecot-2.0.9-2.el6_1.1.i686.rpm dovecot-2.0.9-2.el6_1.1.x86_64.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm dovecot-mysql-2.0.9-2.el6_1.1.x86_64.rpm dovecot-pgsql-2.0.9-2.el6_1.1.x86_64.rpm dovecot-pigeonhole-2.0.9-2.el6_1.1.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm
i386: dovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm dovecot-devel-2.0.9-2.el6_1.1.i686.rpm
x86_64: dovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm dovecot-devel-2.0.9-2.el6_1.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package
- References:
https://www.redhat.com/security/data/cve/CVE-2011-1929.html https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOTW29XlSAg2UNWIIRAr8LAKCu85vT3BXBKZ1SRebWK7B9nG6OFQCfYR3k P3AdaDf2BpXnEhk2OL5DTpo= =eG31 -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-04
http://security.gentoo.org/
Severity: High Title: Dovecot: Multiple vulnerabilities Date: October 10, 2011 Bugs: #286844, #293954, #314533, #368653 ID: 201110-04
Synopsis
Multiple vulnerabilities were found in Dovecot, the worst of which allowing for remote execution of arbitrary code.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-mail/dovecot < 2.0.13 *>= 1.2.17 >= 2.0.13
Description
Multiple vulnerabilities have been discovered in Dovecot. Please review the CVE identifiers referenced below for details.
Impact
A remote attacker could exploit these vulnerabilities to cause the remote execution of arbitrary code, or a Denial of Service condition, to conduct directory traversal attacks, corrupt data, or disclose information.
Workaround
There is no known workaround at this time.
Resolution
All Dovecot 1 users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/dovecot-1.2.17"
All Dovecot 2 users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.0.13"
NOTE: This is a legacy GLSA. Updates for all affected architectures are available since May 28, 2011. It is likely that your system is already no longer affected by this issue.
References
[ 1 ] CVE-2009-3235 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3235 [ 2 ] CVE-2009-3897 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897 [ 3 ] CVE-2010-0745 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0745 [ 4 ] CVE-2010-3304 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3304 [ 5 ] CVE-2010-3706 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3706 [ 6 ] CVE-2010-3707 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3707 [ 7 ] CVE-2010-3779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3779 [ 8 ] CVE-2010-3780 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3780 [ 9 ] CVE-2011-1929 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1929 [ 10 ] CVE-2011-2166 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2166 [ 11 ] CVE-2011-2167 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2167
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-04.xml
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
Packages for 2009.0 are provided as of the Extended Maintenance Program. The verification of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFN3e9VmqjQ0CJFipgRAjwfAJ95TzNOzqcOHVs9I3gIj1PqbuH6+gCfaxLM TC22GorN3moiTA4Ska8YOLU= =2Q1M -----END PGP SIGNATURE-----
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ========================================================================== Ubuntu Security Notice USN-1143-1 June 02, 2011
dovecot vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
An attacker could send a crafted email message that could disrupt email service.
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 11.04: dovecot-common 1:1.2.15-3ubuntu2.1
Ubuntu 10.10: dovecot-common 1:1.2.12-1ubuntu8.2
Ubuntu 10.04 LTS: dovecot-common 1:1.2.9-1ubuntu6.4
In general, a standard system update will make all the necessary changes.
The oldstable distribution (lenny) is not affected.
For the stable distribution (squeeze), this problem has been fixed in version 1.2.15-7.
For the unstable distribution (sid), this problem has been fixed in version 2.0.13-1
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201105-0095",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dovecot",
"scope": "eq",
"trust": 1.9,
"vendor": "dovecot",
"version": "2.0.12"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.9,
"vendor": "dovecot",
"version": "2.0.1"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.9,
"vendor": "dovecot",
"version": "2.0.0"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.6,
"vendor": "dovecot",
"version": "2.0.8"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.6,
"vendor": "dovecot",
"version": "2.0.7"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.6,
"vendor": "dovecot",
"version": "2.0"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.6,
"vendor": "dovecot",
"version": "2.0.9"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.6,
"vendor": "dovecot",
"version": "2.0.6"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.6,
"vendor": "dovecot",
"version": "2.0.10"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.6,
"vendor": "dovecot",
"version": "2.0.11"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "2.0.4"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "2.0.3"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "2.0.2"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "1.2.16"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "1.2.15"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "1.2.14"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "1.2.13"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "1.2.12"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "1.2.10"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "1.2.9"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "1.2.8"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "1.2.7"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "2.0.5"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "1.2.6"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "1.2.5"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "1.2.4"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "1.2.3"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "1.2.2"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.3,
"vendor": "dovecot",
"version": "1.2.11"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.0,
"vendor": "dovecot",
"version": "1.2.0"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 1.0,
"vendor": "dovecot",
"version": "1.2.1"
},
{
"model": "dovecot",
"scope": "lt",
"trust": 0.8,
"vendor": "timo sirainen",
"version": "1.2.17"
},
{
"model": "dovecot",
"scope": "lt",
"trust": 0.8,
"vendor": "timo sirainen",
"version": "2.0.13"
},
{
"model": "turbolinux appliance server",
"scope": "eq",
"trust": 0.8,
"vendor": "turbo linux",
"version": "3.0"
},
{
"model": "turbolinux appliance server",
"scope": "eq",
"trust": 0.8,
"vendor": "turbo linux",
"version": "3.0 (x64)"
},
{
"model": "turbolinux server",
"scope": "eq",
"trust": 0.8,
"vendor": "turbo linux",
"version": "11"
},
{
"model": "turbolinux server",
"scope": "eq",
"trust": 0.8,
"vendor": "turbo linux",
"version": "11 (x64)"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "4 (as)"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "4 (es)"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "4 (ws)"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "5 (server)"
},
{
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "4.0"
},
{
"model": "enterprise linux server",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "6"
},
{
"model": "enterprise linux server eus",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "6.1.z"
},
{
"model": "enterprise linux workstation",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "6"
},
{
"model": "rhel desktop workstation",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "5 (client)"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.6,
"vendor": "dovecot",
"version": "1.2.x"
},
{
"model": "dovecot",
"scope": "eq",
"trust": 0.6,
"vendor": "dovecot",
"version": "2.0.x"
},
{
"model": "linux powerpc",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "11.04"
},
{
"model": "linux i386",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "11.04"
},
{
"model": "linux arm",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "11.04"
},
{
"model": "linux amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "11.04"
},
{
"model": "linux powerpc",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "10.10"
},
{
"model": "linux i386",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "10.10"
},
{
"model": "linux arm",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "10.10"
},
{
"model": "linux amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "10.10"
},
{
"model": "linux sparc",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "10.04"
},
{
"model": "linux powerpc",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "10.04"
},
{
"model": "linux i386",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "10.04"
},
{
"model": "linux arm",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "10.04"
},
{
"model": "linux amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "10.04"
},
{
"model": "opensuse",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "11.4"
},
{
"model": "opensuse",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "11.3"
},
{
"model": "enterprise linux ws",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "4"
},
{
"model": "enterprise linux workstation optional",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "enterprise linux workstation",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "enterprise linux server optional",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "enterprise linux server",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "enterprise linux es",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "4"
},
{
"model": "enterprise linux desktop workstation client",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "5"
},
{
"model": "enterprise linux as",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "4"
},
{
"model": "enterprise linux desktop version",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "4"
},
{
"model": "enterprise linux server",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "5"
},
{
"model": "linux mandrake x86 64",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "2010.1"
},
{
"model": "linux mandrake",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "2010.1"
},
{
"model": "linux mandrake x86 64",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "2009.0"
},
{
"model": "linux mandrake",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "2009.0"
},
{
"model": "enterprise server x86 64",
"scope": "eq",
"trust": 0.3,
"vendor": "mandrakesoft",
"version": "5"
},
{
"model": "enterprise server",
"scope": "eq",
"trust": 0.3,
"vendor": "mandrakesoft",
"version": "5"
},
{
"model": "linux",
"scope": null,
"trust": 0.3,
"vendor": "gentoo",
"version": null
},
{
"model": "dovecot",
"scope": "ne",
"trust": 0.3,
"vendor": "dovecot",
"version": "2.0.13"
},
{
"model": "dovecot",
"scope": "ne",
"trust": 0.3,
"vendor": "dovecot",
"version": "1.2.17"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2132"
},
{
"db": "BID",
"id": "47930"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001934"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-250"
},
{
"db": "NVD",
"id": "CVE-2011-1929"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.2.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.2.15:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.2.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.2.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.2.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.2.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.2.16:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.2.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.2.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.2.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:1.2.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:2.0.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2011-1929"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Timo Sirainen",
"sources": [
{
"db": "BID",
"id": "47930"
}
],
"trust": 0.3
},
"cve": "CVE-2011-1929",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 5.0,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2011-1929",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2011-1929",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201105-250",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-001934"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-250"
},
{
"db": "NVD",
"id": "CVE-2011-1929"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle \u0027\\0\u0027 characters in header names, which allows remote attackers to cause a denial of service (daemon crash or mailbox corruption) via a crafted e-mail message. Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems. Dovecot is prone to a denial-of-service vulnerability because it fails to properly parse message headers. \nA remote attacker can exploit this issue to crash the affected application, denying service to legitimate users. \nDovecot versions prior to 1.2.17 and 2.0.13 are vulnerable. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: dovecot security update\nAdvisory ID: RHSA-2011:1187-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://rhn.redhat.com/errata/RHSA-2011-1187.html\nIssue date: 2011-08-18\nCVE Names: CVE-2011-1929 \n=====================================================================\n\n1. Summary:\n\nUpdated dovecot packages that fix one security issue are now available for\nRed Hat Enterprise Linux 4, 5, and 6. \n\nThe Red Hat Security Response Team has rated this update as having moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section. \n\n2. Relevant releases/architectures:\n\nRHEL Desktop Workstation (v. 5 client) - i386, x86_64\nRed Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64\nRed Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64\nRed Hat Enterprise Linux Desktop version 4 - i386, x86_64\nRed Hat Enterprise Linux ES version 4 - i386, ia64, x86_64\nRed Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux WS version 4 - i386, ia64, x86_64\nRed Hat Enterprise Linux Workstation (v. 6) - i386, x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64\n\n3. \n(CVE-2011-1929)\n\nUsers of dovecot are advised to upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing the\nupdated packages, the dovecot service will be restarted automatically. \n\n4. Solution:\n\nBefore applying this update, make sure all previously-released errata\nrelevant to your system have been applied. \n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/kb/docs/DOC-11259\n\n5. Bugs fixed (http://bugzilla.redhat.com/):\n\n706286 - CVE-2011-1929 dovecot: potential crash when parsing header names that contain NUL characters\n\n6. Package List:\n\nRed Hat Enterprise Linux AS version 4:\n\nSource:\nftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm\n\ni386:\ndovecot-0.99.11-10.EL4.i386.rpm\ndovecot-debuginfo-0.99.11-10.EL4.i386.rpm\n\nia64:\ndovecot-0.99.11-10.EL4.ia64.rpm\ndovecot-debuginfo-0.99.11-10.EL4.ia64.rpm\n\nppc:\ndovecot-0.99.11-10.EL4.ppc.rpm\ndovecot-debuginfo-0.99.11-10.EL4.ppc.rpm\n\ns390:\ndovecot-0.99.11-10.EL4.s390.rpm\ndovecot-debuginfo-0.99.11-10.EL4.s390.rpm\n\ns390x:\ndovecot-0.99.11-10.EL4.s390x.rpm\ndovecot-debuginfo-0.99.11-10.EL4.s390x.rpm\n\nx86_64:\ndovecot-0.99.11-10.EL4.x86_64.rpm\ndovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm\n\nRed Hat Enterprise Linux Desktop version 4:\n\nSource:\nftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm\n\ni386:\ndovecot-0.99.11-10.EL4.i386.rpm\ndovecot-debuginfo-0.99.11-10.EL4.i386.rpm\n\nx86_64:\ndovecot-0.99.11-10.EL4.x86_64.rpm\ndovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm\n\nRed Hat Enterprise Linux ES version 4:\n\nSource:\nftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm\n\ni386:\ndovecot-0.99.11-10.EL4.i386.rpm\ndovecot-debuginfo-0.99.11-10.EL4.i386.rpm\n\nia64:\ndovecot-0.99.11-10.EL4.ia64.rpm\ndovecot-debuginfo-0.99.11-10.EL4.ia64.rpm\n\nx86_64:\ndovecot-0.99.11-10.EL4.x86_64.rpm\ndovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm\n\nRed Hat Enterprise Linux WS version 4:\n\nSource:\nftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm\n\ni386:\ndovecot-0.99.11-10.EL4.i386.rpm\ndovecot-debuginfo-0.99.11-10.EL4.i386.rpm\n\nia64:\ndovecot-0.99.11-10.EL4.ia64.rpm\ndovecot-debuginfo-0.99.11-10.EL4.ia64.rpm\n\nx86_64:\ndovecot-0.99.11-10.EL4.x86_64.rpm\ndovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm\n\nRHEL Desktop Workstation (v. 5 client):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/dovecot-1.0.7-7.el5_7.1.src.rpm\n\ni386:\ndovecot-1.0.7-7.el5_7.1.i386.rpm\ndovecot-debuginfo-1.0.7-7.el5_7.1.i386.rpm\n\nx86_64:\ndovecot-1.0.7-7.el5_7.1.x86_64.rpm\ndovecot-debuginfo-1.0.7-7.el5_7.1.x86_64.rpm\n\nRed Hat Enterprise Linux (v. 5 server):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/dovecot-1.0.7-7.el5_7.1.src.rpm\n\ni386:\ndovecot-1.0.7-7.el5_7.1.i386.rpm\ndovecot-debuginfo-1.0.7-7.el5_7.1.i386.rpm\n\nia64:\ndovecot-1.0.7-7.el5_7.1.ia64.rpm\ndovecot-debuginfo-1.0.7-7.el5_7.1.ia64.rpm\n\nppc:\ndovecot-1.0.7-7.el5_7.1.ppc.rpm\ndovecot-debuginfo-1.0.7-7.el5_7.1.ppc.rpm\n\ns390x:\ndovecot-1.0.7-7.el5_7.1.s390x.rpm\ndovecot-debuginfo-1.0.7-7.el5_7.1.s390x.rpm\n\nx86_64:\ndovecot-1.0.7-7.el5_7.1.x86_64.rpm\ndovecot-debuginfo-1.0.7-7.el5_7.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm\n\ni386:\ndovecot-2.0.9-2.el6_1.1.i686.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm\ndovecot-mysql-2.0.9-2.el6_1.1.i686.rpm\ndovecot-pgsql-2.0.9-2.el6_1.1.i686.rpm\ndovecot-pigeonhole-2.0.9-2.el6_1.1.i686.rpm\n\nppc64:\ndovecot-2.0.9-2.el6_1.1.ppc.rpm\ndovecot-2.0.9-2.el6_1.1.ppc64.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.ppc.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.ppc64.rpm\ndovecot-mysql-2.0.9-2.el6_1.1.ppc64.rpm\ndovecot-pgsql-2.0.9-2.el6_1.1.ppc64.rpm\ndovecot-pigeonhole-2.0.9-2.el6_1.1.ppc64.rpm\n\ns390x:\ndovecot-2.0.9-2.el6_1.1.s390.rpm\ndovecot-2.0.9-2.el6_1.1.s390x.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.s390.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.s390x.rpm\ndovecot-mysql-2.0.9-2.el6_1.1.s390x.rpm\ndovecot-pgsql-2.0.9-2.el6_1.1.s390x.rpm\ndovecot-pigeonhole-2.0.9-2.el6_1.1.s390x.rpm\n\nx86_64:\ndovecot-2.0.9-2.el6_1.1.i686.rpm\ndovecot-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-mysql-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-pgsql-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-pigeonhole-2.0.9-2.el6_1.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm\n\ni386:\ndovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm\ndovecot-devel-2.0.9-2.el6_1.1.i686.rpm\n\nppc64:\ndovecot-debuginfo-2.0.9-2.el6_1.1.ppc64.rpm\ndovecot-devel-2.0.9-2.el6_1.1.ppc64.rpm\n\ns390x:\ndovecot-debuginfo-2.0.9-2.el6_1.1.s390x.rpm\ndovecot-devel-2.0.9-2.el6_1.1.s390x.rpm\n\nx86_64:\ndovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-devel-2.0.9-2.el6_1.1.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm\n\ni386:\ndovecot-2.0.9-2.el6_1.1.i686.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm\ndovecot-mysql-2.0.9-2.el6_1.1.i686.rpm\ndovecot-pgsql-2.0.9-2.el6_1.1.i686.rpm\ndovecot-pigeonhole-2.0.9-2.el6_1.1.i686.rpm\n\nx86_64:\ndovecot-2.0.9-2.el6_1.1.i686.rpm\ndovecot-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-mysql-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-pgsql-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-pigeonhole-2.0.9-2.el6_1.1.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm\n\ni386:\ndovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm\ndovecot-devel-2.0.9-2.el6_1.1.i686.rpm\n\nx86_64:\ndovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-devel-2.0.9-2.el6_1.1.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and \ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/#package\n\n7. References:\n\nhttps://www.redhat.com/security/data/cve/CVE-2011-1929.html\nhttps://access.redhat.com/security/updates/classification/#moderate\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2011 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.4 (GNU/Linux)\n\niD8DBQFOTW29XlSAg2UNWIIRAr8LAKCu85vT3BXBKZ1SRebWK7B9nG6OFQCfYR3k\nP3AdaDf2BpXnEhk2OL5DTpo=\n=eG31\n-----END PGP SIGNATURE-----\n\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 201110-04\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n http://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: High\n Title: Dovecot: Multiple vulnerabilities\n Date: October 10, 2011\n Bugs: #286844, #293954, #314533, #368653\n ID: 201110-04\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities were found in Dovecot, the worst of which\nallowing for remote execution of arbitrary code. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 net-mail/dovecot \u003c 2.0.13 *\u003e= 1.2.17\n \u003e= 2.0.13\n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in Dovecot. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nA remote attacker could exploit these vulnerabilities to cause the\nremote execution of arbitrary code, or a Denial of Service condition,\nto conduct directory traversal attacks, corrupt data, or disclose\ninformation. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll Dovecot 1 users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-mail/dovecot-1.2.17\"\n\nAll Dovecot 2 users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-mail/dovecot-2.0.13\"\n\nNOTE: This is a legacy GLSA. Updates for all affected architectures are\navailable since May 28, 2011. It is likely that your system is already\nno longer affected by this issue. \n\nReferences\n==========\n\n[ 1 ] CVE-2009-3235\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3235\n[ 2 ] CVE-2009-3897\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897\n[ 3 ] CVE-2010-0745\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0745\n[ 4 ] CVE-2010-3304\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3304\n[ 5 ] CVE-2010-3706\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3706\n[ 6 ] CVE-2010-3707\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3707\n[ 7 ] CVE-2010-3779\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3779\n[ 8 ] CVE-2010-3780\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3780\n[ 9 ] CVE-2011-1929\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1929\n[ 10 ] CVE-2011-2166\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2166\n[ 11 ] CVE-2011-2167\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2167\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n http://security.gentoo.org/glsa/glsa-201110-04.xml\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2011 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n\n\n\n. \n \n Packages for 2009.0 are provided as of the Extended Maintenance\n Program. The verification\n of md5 checksums and GPG signatures is performed automatically for you. \n\n All packages are signed by Mandriva for security. You can obtain the\n GPG public key of the Mandriva Security Team by executing:\n\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\n\n You can view other update advisories for Mandriva Linux at:\n\n http://www.mandriva.com/security/advisories\n\n If you want to report vulnerabilities, please contact\n\n security_(at)_mandriva.com\n _______________________________________________________________________\n\n Type Bits/KeyID Date User ID\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\n \u003csecurity*mandriva.com\u003e\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.9 (GNU/Linux)\n\niD8DBQFN3e9VmqjQ0CJFipgRAjwfAJ95TzNOzqcOHVs9I3gIj1PqbuH6+gCfaxLM\nTC22GorN3moiTA4Ska8YOLU=\n=2Q1M\n-----END PGP SIGNATURE-----\n\n_______________________________________________\nFull-Disclosure - We believe in it. \nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\nHosted and sponsored by Secunia - http://secunia.com/\n. ==========================================================================\nUbuntu Security Notice USN-1143-1\nJune 02, 2011\n\ndovecot vulnerability\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 11.04\n- Ubuntu 10.10\n- Ubuntu 10.04 LTS\n\nSummary:\n\nAn attacker could send a crafted email message that could disrupt email\nservice. \n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 11.04:\n dovecot-common 1:1.2.15-3ubuntu2.1\n\nUbuntu 10.10:\n dovecot-common 1:1.2.12-1ubuntu8.2\n\nUbuntu 10.04 LTS:\n dovecot-common 1:1.2.9-1ubuntu6.4\n\nIn general, a standard system update will make all the necessary changes. \n\n\nThe oldstable distribution (lenny) is not affected. \n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.2.15-7. \n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.0.13-1",
"sources": [
{
"db": "NVD",
"id": "CVE-2011-1929"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001934"
},
{
"db": "CNVD",
"id": "CNVD-2011-2132"
},
{
"db": "BID",
"id": "47930"
},
{
"db": "PACKETSTORM",
"id": "104202"
},
{
"db": "PACKETSTORM",
"id": "105652"
},
{
"db": "PACKETSTORM",
"id": "101719"
},
{
"db": "PACKETSTORM",
"id": "101933"
},
{
"db": "PACKETSTORM",
"id": "101949"
}
],
"trust": 2.88
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2011-1929",
"trust": 3.8
},
{
"db": "BID",
"id": "47930",
"trust": 3.3
},
{
"db": "OSVDB",
"id": "72495",
"trust": 1.8
},
{
"db": "SECUNIA",
"id": "44683",
"trust": 1.8
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2011/05/19/6",
"trust": 1.6
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2011/05/19/3",
"trust": 1.6
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2011/05/18/4",
"trust": 1.6
},
{
"db": "SECUNIA",
"id": "44827",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "44712",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "44756",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "44771",
"trust": 1.0
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001934",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2011-2132",
"trust": 0.6
},
{
"db": "MLIST",
"id": "[DOVECOT] 20110511 V2.0.13 RELEASED",
"trust": 0.6
},
{
"db": "MLIST",
"id": "[DOVECOT] 20110511 V1.2.17 RELEASED",
"trust": 0.6
},
{
"db": "MLIST",
"id": "[OSS-SECURITY] 20110519 RE: DOVECOT RELEASES",
"trust": 0.6
},
{
"db": "MLIST",
"id": "[OSS-SECURITY] 20110518 DOVECOT RELEASES",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201105-250",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "104202",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "105652",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "101719",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "101933",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "101949",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2132"
},
{
"db": "BID",
"id": "47930"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001934"
},
{
"db": "PACKETSTORM",
"id": "104202"
},
{
"db": "PACKETSTORM",
"id": "105652"
},
{
"db": "PACKETSTORM",
"id": "101719"
},
{
"db": "PACKETSTORM",
"id": "101933"
},
{
"db": "PACKETSTORM",
"id": "101949"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-250"
},
{
"db": "NVD",
"id": "CVE-2011-1929"
}
]
},
"id": "VAR-201105-0095",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2132"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2132"
}
]
},
"last_update_date": "2024-07-23T19:37:05.868000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "v1.2.17 released",
"trust": 0.8,
"url": "http://dovecot.org/pipermail/dovecot/2011-may/059086.html"
},
{
"title": "v2.0.13 released",
"trust": 0.8,
"url": "http://dovecot.org/pipermail/dovecot/2011-may/059085.html"
},
{
"title": "dovecot-1.1 / changeset",
"trust": 0.8,
"url": "http://hg.dovecot.org/dovecot-1.1/rev/3698dfe0f21c"
},
{
"title": "RHSA-2011:1187",
"trust": 0.8,
"url": "https://rhn.redhat.com/errata/rhsa-2011-1187.html"
},
{
"title": "TLSA-2011-22",
"trust": 0.8,
"url": "http://www.turbolinux.co.jp/security/2011/tlsa-2011-22j.txt"
},
{
"title": "Dovecot denies service patch vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/4012"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2132"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001934"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-20",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-001934"
},
{
"db": "NVD",
"id": "CVE-2011-1929"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.0,
"url": "http://www.securityfocus.com/bid/47930"
},
{
"trust": 1.9,
"url": "http://dovecot.org/pipermail/dovecot/2011-may/059086.html"
},
{
"trust": 1.9,
"url": "http://dovecot.org/pipermail/dovecot/2011-may/059085.html"
},
{
"trust": 1.9,
"url": "http://hg.dovecot.org/dovecot-1.1/rev/3698dfe0f21c"
},
{
"trust": 1.8,
"url": "http://osvdb.org/72495"
},
{
"trust": 1.8,
"url": "http://secunia.com/advisories/44683"
},
{
"trust": 1.6,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=706286"
},
{
"trust": 1.6,
"url": "http://www.dovecot.org/doc/news-2.0"
},
{
"trust": 1.6,
"url": "http://www.dovecot.org/doc/news-1.2"
},
{
"trust": 1.6,
"url": "http://openwall.com/lists/oss-security/2011/05/19/6"
},
{
"trust": 1.6,
"url": "http://openwall.com/lists/oss-security/2011/05/19/3"
},
{
"trust": 1.6,
"url": "http://openwall.com/lists/oss-security/2011/05/18/4"
},
{
"trust": 1.0,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-june/061384.html"
},
{
"trust": 1.0,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-may/060815.html"
},
{
"trust": 1.0,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-may/060825.html"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/44712"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/44756"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/44771"
},
{
"trust": 1.0,
"url": "http://secunia.com/advisories/44827"
},
{
"trust": 1.0,
"url": "http://www.debian.org/security/2011/dsa-2252"
},
{
"trust": 1.0,
"url": "http://www.mandriva.com/security/advisories?name=mdvsa-2011:101"
},
{
"trust": 1.0,
"url": "http://www.redhat.com/support/errata/rhsa-2011-1187.html"
},
{
"trust": 1.0,
"url": "http://www.ubuntu.com/usn/usn-1143-1"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67589"
},
{
"trust": 1.0,
"url": "https://hermes.opensuse.org/messages/8581790"
},
{
"trust": 0.9,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-1929"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-1929"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-1929"
},
{
"trust": 0.3,
"url": "http://www.dovecot.org/"
},
{
"trust": 0.2,
"url": "http://secunia.com/"
},
{
"trust": 0.2,
"url": "http://lists.grok.org.uk/full-disclosure-charter.html"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.1,
"url": "https://rhn.redhat.com/errata/rhsa-2011-1187.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/kb/docs/doc-11259"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/#package"
},
{
"trust": 0.1,
"url": "http://bugzilla.redhat.com/):"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/security/data/cve/cve-2011-1929.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-1929"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3304"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3706"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-0745"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2009-3897"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3779"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-2167"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3707"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2009-3897"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3780"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-2166"
},
{
"trust": 0.1,
"url": "http://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2009-3235"
},
{
"trust": 0.1,
"url": "http://security.gentoo.org/glsa/glsa-201110-04.xml"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2009-3235"
},
{
"trust": 0.1,
"url": "http://store.mandriva.com/product_info.php\\?cpath=149\\\u0026amp;products_id=490"
},
{
"trust": 0.1,
"url": "http://www.mandriva.com/security/"
},
{
"trust": 0.1,
"url": "http://www.mandriva.com/security/advisories"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/dovecot/1:1.2.15-3ubuntu2.1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/dovecot/1:1.2.12-1ubuntu8.2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/dovecot/1:1.2.9-1ubuntu6.4"
},
{
"trust": 0.1,
"url": "http://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "http://www.debian.org/security/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-2132"
},
{
"db": "BID",
"id": "47930"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001934"
},
{
"db": "PACKETSTORM",
"id": "104202"
},
{
"db": "PACKETSTORM",
"id": "105652"
},
{
"db": "PACKETSTORM",
"id": "101719"
},
{
"db": "PACKETSTORM",
"id": "101933"
},
{
"db": "PACKETSTORM",
"id": "101949"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-250"
},
{
"db": "NVD",
"id": "CVE-2011-1929"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2011-2132"
},
{
"db": "BID",
"id": "47930"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001934"
},
{
"db": "PACKETSTORM",
"id": "104202"
},
{
"db": "PACKETSTORM",
"id": "105652"
},
{
"db": "PACKETSTORM",
"id": "101719"
},
{
"db": "PACKETSTORM",
"id": "101933"
},
{
"db": "PACKETSTORM",
"id": "101949"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-250"
},
{
"db": "NVD",
"id": "CVE-2011-1929"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-06-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-2132"
},
{
"date": "2011-05-19T00:00:00",
"db": "BID",
"id": "47930"
},
{
"date": "2011-07-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-001934"
},
{
"date": "2011-08-19T01:53:33",
"db": "PACKETSTORM",
"id": "104202"
},
{
"date": "2011-10-10T22:42:12",
"db": "PACKETSTORM",
"id": "105652"
},
{
"date": "2011-05-26T13:48:10",
"db": "PACKETSTORM",
"id": "101719"
},
{
"date": "2011-06-02T06:03:22",
"db": "PACKETSTORM",
"id": "101933"
},
{
"date": "2010-06-02T12:13:00",
"db": "PACKETSTORM",
"id": "101949"
},
{
"date": "2011-05-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201105-250"
},
{
"date": "2011-05-24T23:55:04.387000",
"db": "NVD",
"id": "CVE-2011-1929"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-06-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-2132"
},
{
"date": "2015-04-13T21:58:00",
"db": "BID",
"id": "47930"
},
{
"date": "2011-08-31T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-001934"
},
{
"date": "2011-05-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201105-250"
},
{
"date": "2017-08-17T01:34:28.213000",
"db": "NVD",
"id": "CVE-2011-1929"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "105652"
},
{
"db": "PACKETSTORM",
"id": "101719"
},
{
"db": "PACKETSTORM",
"id": "101933"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-250"
}
],
"trust": 0.9
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Dovecot of lib-mail/message-header-parser.c Service disruption in (DoS) Vulnerabilities",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-001934"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201105-250"
}
],
"trust": 0.6
}
}
var-201803-1087
Vulnerability from variot
A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart. dovecot Contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Dovecot is an open source IMAP and POP3 mail server based on Linux/UNIX-like systems. ========================================================================== Ubuntu Security Notice USN-3587-2 April 02, 2018
dovecot vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in Dovecot. This update provides the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that Dovecot incorrectly handled parsing certain email addresses. (CVE-2017-14461)
It was discovered that Dovecot incorrectly handled TLS SNI config lookups. A remote attacker could possibly use this issue to cause Dovecot to crash, resulting in a denial of service. (CVE-2017-15130)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 12.04 ESM: dovecot-core 1:2.0.19-0ubuntu2.5
In general, a standard system update will make all the necessary changes.
References: https://usn.ubuntu.com/usn/usn-3587-2 https://usn.ubuntu.com/usn/usn-3587-1 CVE-2017-14461, CVE-2017-15130 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Debian Security Advisory DSA-4130-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 02, 2018 https://www.debian.org/security/faq
Package : dovecot CVE ID : CVE-2017-14461 CVE-2017-15130 CVE-2017-15132 Debian Bug : 888432 891819 891820
Several vulnerabilities have been discovered in the Dovecot email server. The Common Vulnerabilities and Exposures project identifies the following issues:
CVE-2017-14461
Aleksandar Nikolic of Cisco Talos and 'flxflndy' discovered that
Dovecot does not properly parse invalid email addresses, which may
cause a crash or leak memory contents to an attacker. Only
Dovecot configurations containing local_name { } or local { }
configuration blocks are affected.
CVE-2017-15132
It was discovered that Dovecot contains a memory leak flaw in the
login process on aborted SASL authentication.
For the oldstable distribution (jessie), these problems have been fixed in version 1:2.2.13-12~deb8u4.
For the stable distribution (stretch), these problems have been fixed in version 1:2.2.27-3+deb9u2.
We recommend that you upgrade your dovecot packages.
For the detailed security status of dovecot please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dovecot
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqZzelfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T8fg/+KmUzgEXDQFSnWOmSt+8GXFB08C2XtXmopMuej/1tjkZZ7B04vXfkgYZ9 u7zICbM56VrTmnXOYnLuXjqLrzGO0Y9jX+Z5G4BSw0TgP+g6ME72ZvqxuE4IKQqi QlaKTX86B1AMpzvkLrhwXlArJDr7pJzOonFJds6rKtVA4OvY4/fAAWrH89BFchet VwdO5rngcd/qnAYVOZglTMfgVlzxvenx+0fbQ6JFS6T8ODOFSsnwth64u3KY8yYj 4PGTBqX4m+2S2q2qGinueBgHNUV4RK71Zw1QYDa2gMBQR3HtlMnDhmQ4uYCvKP04 Z1GJYX6dMxMSWPKC2WecrdCSV+QAdMlYypKbhqcLA4LHcdPR+v35oQT4X/SYd2WS Zf50KMYUm9Q3YiOHVDrJo+o21hX4g8hRw1wdewZz+wyQ1n1TOlVtRh4vmACKRzNx 7bUayEvVU3q3VQd+dDH2Bl+TBiO7RB5/b2pHp8vHwAlVX00jYSSnoLUKT0L4BQ54 +1DZ8j88OFKDxTgOsbk19rhfraY7iejAjHZDVnJBwC/tB9REG6DOrDIG4OJqTKw4 sP1JaHryOGXzOf/8h61rY5HAuwofGkAZN7S+Bel0+zGYJvIcSyxpBKvJB/0TDNjm E5KphLFG9RGVmdeVkQzG6tGUMnMXxFrAD5U3hlzUsNGLLA+RE78= =Yh09 -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201803-1087",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dovecot",
"scope": "lt",
"trust": 1.6,
"vendor": "dovecot",
"version": "2.2.34"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.6,
"vendor": "canonical",
"version": "17.10"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "8.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "14.04"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "16.04"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "ubuntu",
"scope": null,
"trust": 0.8,
"vendor": "canonical",
"version": null
},
{
"model": "gnu/linux",
"scope": null,
"trust": 0.8,
"vendor": "debian",
"version": null
},
{
"model": "dovecot",
"scope": "lt",
"trust": 0.8,
"vendor": "timo sirainen",
"version": "2.2.34"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-05070"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012758"
},
{
"db": "NVD",
"id": "CVE-2017-15130"
},
{
"db": "CNNVD",
"id": "CNNVD-201803-092"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.2.34",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2017-15130"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ubuntu",
"sources": [
{
"db": "PACKETSTORM",
"id": "147005"
},
{
"db": "PACKETSTORM",
"id": "146647"
}
],
"trust": 0.2
},
"cve": "CVE-2017-15130",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2017-15130",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"exploitabilityScore": 4.9,
"id": "CNVD-2018-05070",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 0.6,
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 5.9,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2017-15130",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2017-15130",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2018-05070",
"trust": 0.6,
"value": "LOW"
},
{
"author": "CNNVD",
"id": "CNNVD-201803-092",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-05070"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012758"
},
{
"db": "NVD",
"id": "CVE-2017-15130"
},
{
"db": "CNNVD",
"id": "CNNVD-201803-092"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart. dovecot Contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Dovecot is an open source IMAP and POP3 mail server based on Linux/UNIX-like systems. ==========================================================================\nUbuntu Security Notice USN-3587-2\nApril 02, 2018\n\ndovecot vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 12.04 ESM\n\nSummary:\n\nSeveral security issues were fixed in Dovecot. This update provides\nthe corresponding update for Ubuntu 12.04 ESM. \n\nOriginal advisory details:\n\n It was discovered that Dovecot incorrectly handled parsing certain\n email addresses. (CVE-2017-14461)\n\n It was discovered that Dovecot incorrectly handled TLS SNI config\n lookups. A remote attacker could possibly use this issue to cause\n Dovecot to crash, resulting in a denial of service. (CVE-2017-15130)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 12.04 ESM:\n dovecot-core 1:2.0.19-0ubuntu2.5\n\nIn general, a standard system update will make all the necessary\nchanges. \n\nReferences:\n https://usn.ubuntu.com/usn/usn-3587-2\n https://usn.ubuntu.com/usn/usn-3587-1\n CVE-2017-14461, CVE-2017-15130\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4130-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMarch 02, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : dovecot\nCVE ID : CVE-2017-14461 CVE-2017-15130 CVE-2017-15132\nDebian Bug : 888432 891819 891820\n\nSeveral vulnerabilities have been discovered in the Dovecot email\nserver. The Common Vulnerabilities and Exposures project identifies the\nfollowing issues:\n\nCVE-2017-14461\n\n Aleksandar Nikolic of Cisco Talos and \u0027flxflndy\u0027 discovered that\n Dovecot does not properly parse invalid email addresses, which may\n cause a crash or leak memory contents to an attacker. Only\n Dovecot configurations containing local_name { } or local { }\n configuration blocks are affected. \n\nCVE-2017-15132\n\n It was discovered that Dovecot contains a memory leak flaw in the\n login process on aborted SASL authentication. \n\nFor the oldstable distribution (jessie), these problems have been fixed\nin version 1:2.2.13-12~deb8u4. \n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 1:2.2.27-3+deb9u2. \n\nWe recommend that you upgrade your dovecot packages. \n\nFor the detailed security status of dovecot please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/dovecot\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqZzelfFIAAAAAALgAo\naXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2\nNDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND\nz0T8fg/+KmUzgEXDQFSnWOmSt+8GXFB08C2XtXmopMuej/1tjkZZ7B04vXfkgYZ9\nu7zICbM56VrTmnXOYnLuXjqLrzGO0Y9jX+Z5G4BSw0TgP+g6ME72ZvqxuE4IKQqi\nQlaKTX86B1AMpzvkLrhwXlArJDr7pJzOonFJds6rKtVA4OvY4/fAAWrH89BFchet\nVwdO5rngcd/qnAYVOZglTMfgVlzxvenx+0fbQ6JFS6T8ODOFSsnwth64u3KY8yYj\n4PGTBqX4m+2S2q2qGinueBgHNUV4RK71Zw1QYDa2gMBQR3HtlMnDhmQ4uYCvKP04\nZ1GJYX6dMxMSWPKC2WecrdCSV+QAdMlYypKbhqcLA4LHcdPR+v35oQT4X/SYd2WS\nZf50KMYUm9Q3YiOHVDrJo+o21hX4g8hRw1wdewZz+wyQ1n1TOlVtRh4vmACKRzNx\n7bUayEvVU3q3VQd+dDH2Bl+TBiO7RB5/b2pHp8vHwAlVX00jYSSnoLUKT0L4BQ54\n+1DZ8j88OFKDxTgOsbk19rhfraY7iejAjHZDVnJBwC/tB9REG6DOrDIG4OJqTKw4\nsP1JaHryOGXzOf/8h61rY5HAuwofGkAZN7S+Bel0+zGYJvIcSyxpBKvJB/0TDNjm\nE5KphLFG9RGVmdeVkQzG6tGUMnMXxFrAD5U3hlzUsNGLLA+RE78=\n=Yh09\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-15130"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012758"
},
{
"db": "CNVD",
"id": "CNVD-2018-05070"
},
{
"db": "PACKETSTORM",
"id": "147005"
},
{
"db": "PACKETSTORM",
"id": "146647"
},
{
"db": "PACKETSTORM",
"id": "146656"
}
],
"trust": 2.43
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-15130",
"trust": 3.3
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012758",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2018-05070",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201803-092",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "147005",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "146647",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "146656",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-05070"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012758"
},
{
"db": "PACKETSTORM",
"id": "147005"
},
{
"db": "PACKETSTORM",
"id": "146647"
},
{
"db": "PACKETSTORM",
"id": "146656"
},
{
"db": "NVD",
"id": "CVE-2017-15130"
},
{
"db": "CNNVD",
"id": "CNNVD-201803-092"
}
]
},
"id": "VAR-201803-1087",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-05070"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-05070"
}
]
},
"last_update_date": "2023-12-18T12:57:05.135000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "[SECURITY] [DLA 1333-1] dovecot security update",
"trust": 0.8,
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"title": "DSA-4130",
"trust": 0.8,
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"title": "[Dovecot-news] v2.2.34 released",
"trust": 0.8,
"url": "https://www.dovecot.org/list/dovecot-news/2018-february/000370.html"
},
{
"title": "USN-3587-1",
"trust": 0.8,
"url": "https://usn.ubuntu.com/3587-1/"
},
{
"title": "USN-3587-2",
"trust": 0.8,
"url": "https://usn.ubuntu.com/3587-2/"
},
{
"title": "Patch for dovecot denial of service vulnerability (CNVD-2018-05070)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/121071"
},
{
"title": "Dovecot Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=78880"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-05070"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012758"
},
{
"db": "CNNVD",
"id": "CNNVD-201803-092"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-noinfo",
"trust": 1.0
},
{
"problemtype": "CWE-399",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-012758"
},
{
"db": "NVD",
"id": "CVE-2017-15130"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-15130"
},
{
"trust": 1.6,
"url": "http://seclists.org/oss-sec/2018/q1/205"
},
{
"trust": 1.6,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1532356"
},
{
"trust": 1.6,
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"trust": 1.6,
"url": "https://usn.ubuntu.com/3587-1/"
},
{
"trust": 1.6,
"url": "https://usn.ubuntu.com/3587-2/"
},
{
"trust": 1.6,
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"trust": 1.6,
"url": "https://www.dovecot.org/list/dovecot-news/2018-february/000370.html"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-15130"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-14461"
},
{
"trust": 0.2,
"url": "https://usn.ubuntu.com/usn/usn-3587-1"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/usn/usn-3587-2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/dovecot/1:2.2.9-1ubuntu2.4"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/dovecot/1:2.2.22-1ubuntu2.7"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/dovecot/1:2.2.27-3ubuntu1.3"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-15132"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/dovecot"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-05070"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012758"
},
{
"db": "PACKETSTORM",
"id": "147005"
},
{
"db": "PACKETSTORM",
"id": "146647"
},
{
"db": "PACKETSTORM",
"id": "146656"
},
{
"db": "NVD",
"id": "CVE-2017-15130"
},
{
"db": "CNNVD",
"id": "CNNVD-201803-092"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-05070"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-012758"
},
{
"db": "PACKETSTORM",
"id": "147005"
},
{
"db": "PACKETSTORM",
"id": "146647"
},
{
"db": "PACKETSTORM",
"id": "146656"
},
{
"db": "NVD",
"id": "CVE-2017-15130"
},
{
"db": "CNNVD",
"id": "CNNVD-201803-092"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-03-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-05070"
},
{
"date": "2018-04-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-012758"
},
{
"date": "2018-04-02T16:54:55",
"db": "PACKETSTORM",
"id": "147005"
},
{
"date": "2018-03-05T22:23:00",
"db": "PACKETSTORM",
"id": "146647"
},
{
"date": "2018-03-05T23:45:22",
"db": "PACKETSTORM",
"id": "146656"
},
{
"date": "2018-03-02T15:29:00.273000",
"db": "NVD",
"id": "CVE-2017-15130"
},
{
"date": "2018-03-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201803-092"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-03-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-05070"
},
{
"date": "2018-04-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-012758"
},
{
"date": "2019-10-03T00:03:26.223000",
"db": "NVD",
"id": "CVE-2017-15130"
},
{
"date": "2019-10-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201803-092"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "147005"
},
{
"db": "PACKETSTORM",
"id": "146647"
},
{
"db": "CNNVD",
"id": "CNNVD-201803-092"
}
],
"trust": 0.8
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "dovecot Resource management vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-012758"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "resource management error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201803-092"
}
],
"trust": 0.6
}
}