All the vulnerabilites related to dovecot - dovecot
cve-2013-6171
Vulnerability from cvelistv5
Published
2013-12-09 11:00
Modified
2024-08-06 17:29
Severity ?
Summary
checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server.
References
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-06T17:29:42.974Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://cpanel.net/tsr-2013-0010-full-disclosure/",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security",
               },
               {
                  name: "USN-3556-2",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/3556-2/",
               },
               {
                  name: "54808",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/54808",
               },
               {
                  name: "[Dovecot-news] 20131103 v2.2.7 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot-news/2013-November/000264.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2013-11-03T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2018-03-15T09:57:02",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://cpanel.net/tsr-2013-0010-full-disclosure/",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security",
            },
            {
               name: "USN-3556-2",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/3556-2/",
            },
            {
               name: "54808",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/54808",
            },
            {
               name: "[Dovecot-news] 20131103 v2.2.7 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot-news/2013-November/000264.html",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2013-6171",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "http://cpanel.net/tsr-2013-0010-full-disclosure/",
                     refsource: "MISC",
                     url: "http://cpanel.net/tsr-2013-0010-full-disclosure/",
                  },
                  {
                     name: "http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security",
                     refsource: "CONFIRM",
                     url: "http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security",
                  },
                  {
                     name: "USN-3556-2",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/3556-2/",
                  },
                  {
                     name: "54808",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/54808",
                  },
                  {
                     name: "[Dovecot-news] 20131103 v2.2.7 released",
                     refsource: "MLIST",
                     url: "http://www.dovecot.org/list/dovecot-news/2013-November/000264.html",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2013-6171",
      datePublished: "2013-12-09T11:00:00",
      dateReserved: "2013-10-18T00:00:00",
      dateUpdated: "2024-08-06T17:29:42.974Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2019-11494
Vulnerability from cvelistv5
Published
2019-05-08 17:04
Modified
2024-08-04 22:55
Summary
In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T22:55:40.377Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.dovecot.org/security.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.dovecot.org/download.html",
               },
               {
                  name: "FEDORA-2019-9e004decea",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/",
               },
               {
                  name: "FEDORA-2019-1b61a528dd",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/",
               },
               {
                  name: "openSUSE-SU-2019:2281",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html",
               },
               {
                  name: "openSUSE-SU-2019:2278",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command.",
            },
         ],
         metrics: [
            {
               cvssV3_0: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AC:L/AV:N/A:H/C:N/I:N/PR:N/S:U/UI:N",
                  version: "3.0",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2019-10-07T20:06:12",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.dovecot.org/security.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.dovecot.org/download.html",
            },
            {
               name: "FEDORA-2019-9e004decea",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/",
            },
            {
               name: "FEDORA-2019-1b61a528dd",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/",
            },
            {
               name: "openSUSE-SU-2019:2281",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html",
            },
            {
               name: "openSUSE-SU-2019:2278",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2019-11494",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command.",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AC:L/AV:N/A:H/C:N/I:N/PR:N/S:U/UI:N",
                  version: "3.0",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://www.dovecot.org/security.html",
                     refsource: "MISC",
                     url: "https://www.dovecot.org/security.html",
                  },
                  {
                     name: "https://www.dovecot.org/download.html",
                     refsource: "MISC",
                     url: "https://www.dovecot.org/download.html",
                  },
                  {
                     name: "FEDORA-2019-9e004decea",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/",
                  },
                  {
                     name: "FEDORA-2019-1b61a528dd",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/",
                  },
                  {
                     name: "openSUSE-SU-2019:2281",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html",
                  },
                  {
                     name: "openSUSE-SU-2019:2278",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2019-11494",
      datePublished: "2019-05-08T17:04:02",
      dateReserved: "2019-04-23T00:00:00",
      dateUpdated: "2024-08-04T22:55:40.377Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2009-3897
Vulnerability from cvelistv5
Published
2009-11-24 17:00
Modified
2024-08-07 06:45
Severity ?
Summary
Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T06:45:50.108Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "37443",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/37443",
               },
               {
                  name: "60316",
                  tags: [
                     "vdb-entry",
                     "x_refsource_OSVDB",
                     "x_transferred",
                  ],
                  url: "http://www.osvdb.org/60316",
               },
               {
                  name: "[oss-security] 20091121 CVE Request - Dovecot - 1.2.8",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://marc.info/?l=oss-security&m=125881481222441&w=2",
               },
               {
                  name: "[dovecot-news] 20091120 v1.2.8 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot-news/2009-November/000143.html",
               },
               {
                  name: "SUSE-SR:2010:001",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html",
               },
               {
                  name: "ADV-2009-3306",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2009/3306",
               },
               {
                  name: "[oss-security] 20091123 Re: CVE request: v1.2.8 released to fix the 0777 base_dir creation issue",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://marc.info/?l=oss-security&m=125900267208712&w=2",
               },
               {
                  name: "[oss-security] 20091120 CVE request: v1.2.8 released to fix the 0777 base_dir creation issue",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://marc.info/?l=oss-security&m=125871729029145&w=2",
               },
               {
                  name: "37084",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/37084",
               },
               {
                  name: "MDVSA-2009:306",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_MANDRIVA",
                     "x_transferred",
                  ],
                  url: "http://www.mandriva.com/security/advisories?name=MDVSA-2009:306",
               },
               {
                  name: "[oss-security] 20091123 Re: CVE Request - Dovecot - 1.2.8",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://marc.info/?l=oss-security&m=125900271508796&w=2",
               },
               {
                  name: "dovecot-basedir-privilege-escalation(54363)",
                  tags: [
                     "vdb-entry",
                     "x_refsource_XF",
                     "x_transferred",
                  ],
                  url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/54363",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2009-11-20T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2017-08-16T14:57:01",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               name: "37443",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/37443",
            },
            {
               name: "60316",
               tags: [
                  "vdb-entry",
                  "x_refsource_OSVDB",
               ],
               url: "http://www.osvdb.org/60316",
            },
            {
               name: "[oss-security] 20091121 CVE Request - Dovecot - 1.2.8",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://marc.info/?l=oss-security&m=125881481222441&w=2",
            },
            {
               name: "[dovecot-news] 20091120 v1.2.8 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot-news/2009-November/000143.html",
            },
            {
               name: "SUSE-SR:2010:001",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html",
            },
            {
               name: "ADV-2009-3306",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2009/3306",
            },
            {
               name: "[oss-security] 20091123 Re: CVE request: v1.2.8 released to fix the 0777 base_dir creation issue",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://marc.info/?l=oss-security&m=125900267208712&w=2",
            },
            {
               name: "[oss-security] 20091120 CVE request: v1.2.8 released to fix the 0777 base_dir creation issue",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://marc.info/?l=oss-security&m=125871729029145&w=2",
            },
            {
               name: "37084",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/37084",
            },
            {
               name: "MDVSA-2009:306",
               tags: [
                  "vendor-advisory",
                  "x_refsource_MANDRIVA",
               ],
               url: "http://www.mandriva.com/security/advisories?name=MDVSA-2009:306",
            },
            {
               name: "[oss-security] 20091123 Re: CVE Request - Dovecot - 1.2.8",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://marc.info/?l=oss-security&m=125900271508796&w=2",
            },
            {
               name: "dovecot-basedir-privilege-escalation(54363)",
               tags: [
                  "vdb-entry",
                  "x_refsource_XF",
               ],
               url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/54363",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2009-3897",
      datePublished: "2009-11-24T17:00:00",
      dateReserved: "2009-11-05T00:00:00",
      dateUpdated: "2024-08-07T06:45:50.108Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2019-7524
Vulnerability from cvelistv5
Published
2019-03-28 13:45
Modified
2024-08-04 20:54
Summary
In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T20:54:27.055Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/security.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/list/dovecot-news/2019-March/000403.html",
               },
               {
                  name: "[oss-security] 20190328 CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2019/03/28/1",
               },
               {
                  name: "20190328 [SECURITY] [DSA 4418-1] dovecot security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_BUGTRAQ",
                     "x_transferred",
                  ],
                  url: "https://seclists.org/bugtraq/2019/Mar/59",
               },
               {
                  name: "DSA-4418",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2019/dsa-4418",
               },
               {
                  name: "[debian-lts-announce] 20190329 [SECURITY] [DLA 1736-1] dovecot security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2019/03/msg00038.html",
               },
               {
                  name: "USN-3928-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/3928-1/",
               },
               {
                  name: "107672",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/107672",
               },
               {
                  name: "openSUSE-SU-2019:1212",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00060.html",
               },
               {
                  name: "openSUSE-SU-2019:1220",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html",
               },
               {
                  name: "GLSA-201904-19",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/201904-19",
               },
               {
                  name: "FEDORA-2019-9e004decea",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/",
               },
               {
                  name: "FEDORA-2019-1b61a528dd",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components.",
            },
         ],
         metrics: [
            {
               cvssV3_0: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "HIGH",
                  baseScore: 8.8,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AC:L/AV:L/A:H/C:H/I:H/PR:L/S:C/UI:N",
                  version: "3.0",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2019-07-12T07:06:05",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://dovecot.org/security.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://dovecot.org/list/dovecot-news/2019-March/000403.html",
            },
            {
               name: "[oss-security] 20190328 CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2019/03/28/1",
            },
            {
               name: "20190328 [SECURITY] [DSA 4418-1] dovecot security update",
               tags: [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
               ],
               url: "https://seclists.org/bugtraq/2019/Mar/59",
            },
            {
               name: "DSA-4418",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "https://www.debian.org/security/2019/dsa-4418",
            },
            {
               name: "[debian-lts-announce] 20190329 [SECURITY] [DLA 1736-1] dovecot security update",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2019/03/msg00038.html",
            },
            {
               name: "USN-3928-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/3928-1/",
            },
            {
               name: "107672",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/107672",
            },
            {
               name: "openSUSE-SU-2019:1212",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00060.html",
            },
            {
               name: "openSUSE-SU-2019:1220",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html",
            },
            {
               name: "GLSA-201904-19",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "https://security.gentoo.org/glsa/201904-19",
            },
            {
               name: "FEDORA-2019-9e004decea",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/",
            },
            {
               name: "FEDORA-2019-1b61a528dd",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2019-7524",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components.",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AC:L/AV:L/A:H/C:H/I:H/PR:L/S:C/UI:N",
                  version: "3.0",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://dovecot.org/security.html",
                     refsource: "MISC",
                     url: "https://dovecot.org/security.html",
                  },
                  {
                     name: "https://dovecot.org/list/dovecot-news/2019-March/000403.html",
                     refsource: "MISC",
                     url: "https://dovecot.org/list/dovecot-news/2019-March/000403.html",
                  },
                  {
                     name: "[oss-security] 20190328 CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2019/03/28/1",
                  },
                  {
                     name: "20190328 [SECURITY] [DSA 4418-1] dovecot security update",
                     refsource: "BUGTRAQ",
                     url: "https://seclists.org/bugtraq/2019/Mar/59",
                  },
                  {
                     name: "DSA-4418",
                     refsource: "DEBIAN",
                     url: "https://www.debian.org/security/2019/dsa-4418",
                  },
                  {
                     name: "[debian-lts-announce] 20190329 [SECURITY] [DLA 1736-1] dovecot security update",
                     refsource: "MLIST",
                     url: "https://lists.debian.org/debian-lts-announce/2019/03/msg00038.html",
                  },
                  {
                     name: "USN-3928-1",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/3928-1/",
                  },
                  {
                     name: "107672",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/107672",
                  },
                  {
                     name: "openSUSE-SU-2019:1212",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00060.html",
                  },
                  {
                     name: "openSUSE-SU-2019:1220",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html",
                  },
                  {
                     name: "GLSA-201904-19",
                     refsource: "GENTOO",
                     url: "https://security.gentoo.org/glsa/201904-19",
                  },
                  {
                     name: "FEDORA-2019-9e004decea",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/",
                  },
                  {
                     name: "FEDORA-2019-1b61a528dd",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2019-7524",
      datePublished: "2019-03-28T13:45:20",
      dateReserved: "2019-02-06T00:00:00",
      dateUpdated: "2024-08-04T20:54:27.055Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2007-4211
Vulnerability from cvelistv5
Published
2007-08-08 01:52
Modified
2024-08-07 14:46
Severity ?
Summary
The ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COPY or (2) APPEND command.
References
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11558vdb-entry, signature, x_refsource_OVAL
https://exchange.xforce.ibmcloud.com/vulnerabilities/35767vdb-entry, x_refsource_XF
http://secunia.com/advisories/30342third-party-advisory, x_refsource_SECUNIA
http://www.redhat.com/support/errata/RHSA-2008-0297.htmlvendor-advisory, x_refsource_REDHAT
http://www.securityfocus.com/bid/25182vdb-entry, x_refsource_BID
https://issues.rpath.com/browse/RPL-1621x_refsource_CONFIRM
http://secunia.com/advisories/26320third-party-advisory, x_refsource_SECUNIA
http://www.dovecot.org/list/dovecot-news/2007-August/000048.htmlmailing-list, x_refsource_MLIST
http://secunia.com/advisories/26475third-party-advisory, x_refsource_SECUNIA
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T14:46:39.432Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "oval:org.mitre.oval:def:11558",
                  tags: [
                     "vdb-entry",
                     "signature",
                     "x_refsource_OVAL",
                     "x_transferred",
                  ],
                  url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11558",
               },
               {
                  name: "dovecot-aclplugin-security-bypass(35767)",
                  tags: [
                     "vdb-entry",
                     "x_refsource_XF",
                     "x_transferred",
                  ],
                  url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/35767",
               },
               {
                  name: "30342",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/30342",
               },
               {
                  name: "RHSA-2008:0297",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html",
               },
               {
                  name: "25182",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/25182",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://issues.rpath.com/browse/RPL-1621",
               },
               {
                  name: "26320",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/26320",
               },
               {
                  name: "[dovecot-news] 20070801 v1.0.3 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot-news/2007-August/000048.html",
               },
               {
                  name: "26475",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/26475",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2007-08-01T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "The ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COPY or (2) APPEND command.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2017-09-28T12:57:01",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               name: "oval:org.mitre.oval:def:11558",
               tags: [
                  "vdb-entry",
                  "signature",
                  "x_refsource_OVAL",
               ],
               url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11558",
            },
            {
               name: "dovecot-aclplugin-security-bypass(35767)",
               tags: [
                  "vdb-entry",
                  "x_refsource_XF",
               ],
               url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/35767",
            },
            {
               name: "30342",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/30342",
            },
            {
               name: "RHSA-2008:0297",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html",
            },
            {
               name: "25182",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/25182",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://issues.rpath.com/browse/RPL-1621",
            },
            {
               name: "26320",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/26320",
            },
            {
               name: "[dovecot-news] 20070801 v1.0.3 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot-news/2007-August/000048.html",
            },
            {
               name: "26475",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/26475",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2007-4211",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "The ACL plugin in Dovecot before 1.0.3 allows remote authenticated users with the insert right to save certain flags via a (1) COPY or (2) APPEND command.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "oval:org.mitre.oval:def:11558",
                     refsource: "OVAL",
                     url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11558",
                  },
                  {
                     name: "dovecot-aclplugin-security-bypass(35767)",
                     refsource: "XF",
                     url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/35767",
                  },
                  {
                     name: "30342",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/30342",
                  },
                  {
                     name: "RHSA-2008:0297",
                     refsource: "REDHAT",
                     url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html",
                  },
                  {
                     name: "25182",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/25182",
                  },
                  {
                     name: "https://issues.rpath.com/browse/RPL-1621",
                     refsource: "CONFIRM",
                     url: "https://issues.rpath.com/browse/RPL-1621",
                  },
                  {
                     name: "26320",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/26320",
                  },
                  {
                     name: "[dovecot-news] 20070801 v1.0.3 released",
                     refsource: "MLIST",
                     url: "http://www.dovecot.org/list/dovecot-news/2007-August/000048.html",
                  },
                  {
                     name: "26475",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/26475",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2007-4211",
      datePublished: "2007-08-08T01:52:00",
      dateReserved: "2007-08-07T00:00:00",
      dateUpdated: "2024-08-07T14:46:39.432Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2021-29157
Vulnerability from cvelistv5
Published
2021-06-28 11:58
Modified
2024-08-03 22:02
Summary
Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T22:02:51.122Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/security",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://www.openwall.com/lists/oss-security/2021/06/28/1",
               },
               {
                  name: "FEDORA-2021-208340a217",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/",
               },
               {
                  name: "FEDORA-2021-891c1ab1ac",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/",
               },
               {
                  name: "GLSA-202107-41",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202107-41",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AC:H/AV:L/A:N/C:H/I:H/PR:L/S:C/UI:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2021-07-18T05:06:18",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://dovecot.org/security",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://www.openwall.com/lists/oss-security/2021/06/28/1",
            },
            {
               name: "FEDORA-2021-208340a217",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/",
            },
            {
               name: "FEDORA-2021-891c1ab1ac",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/",
            },
            {
               name: "GLSA-202107-41",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "https://security.gentoo.org/glsa/202107-41",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2021-29157",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "HIGH",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AC:H/AV:L/A:N/C:H/I:H/PR:L/S:C/UI:N",
                  version: "3.1",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://dovecot.org/security",
                     refsource: "MISC",
                     url: "https://dovecot.org/security",
                  },
                  {
                     name: "https://www.openwall.com/lists/oss-security/2021/06/28/1",
                     refsource: "CONFIRM",
                     url: "https://www.openwall.com/lists/oss-security/2021/06/28/1",
                  },
                  {
                     name: "FEDORA-2021-208340a217",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/",
                  },
                  {
                     name: "FEDORA-2021-891c1ab1ac",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/",
                  },
                  {
                     name: "GLSA-202107-41",
                     refsource: "GENTOO",
                     url: "https://security.gentoo.org/glsa/202107-41",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2021-29157",
      datePublished: "2021-06-28T11:58:41",
      dateReserved: "2021-03-25T00:00:00",
      dateUpdated: "2024-08-03T22:02:51.122Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2010-3304
Vulnerability from cvelistv5
Published
2010-09-24 18:00
Modified
2024-08-07 03:03
Severity ?
Summary
The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to newly created mailboxes in certain configurations, which might allow remote attackers to read mailboxes that have unintended weak ACLs.
References
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T03:03:18.915Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "[dovecot-news] 20100724 v1.2.13 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot-news/2010-July/000163.html",
               },
               {
                  name: "[oss-security] 20100916 Re: CVE-identifier request for Dovecot ACL security bug",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2010/09/16/17",
               },
               {
                  name: "USN-1059-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "http://www.ubuntu.com/usn/USN-1059-1",
               },
               {
                  name: "41964",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/41964",
               },
               {
                  name: "[oss-security] 20100916 CVE-identifier request for Dovecot ACL security bug",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2010/09/16/14",
               },
               {
                  name: "MDVSA-2010:217",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_MANDRIVA",
                     "x_transferred",
                  ],
                  url: "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217",
               },
               {
                  name: "43220",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/43220",
               },
               {
                  name: "ADV-2011-0301",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2011/0301",
               },
               {
                  name: "ADV-2010-2840",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2010/2840",
               },
               {
                  name: "SUSE-SR:2010:017",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2010-07-24T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to newly created mailboxes in certain configurations, which might allow remote attackers to read mailboxes that have unintended weak ACLs.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2010-09-30T09:00:00",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               name: "[dovecot-news] 20100724 v1.2.13 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot-news/2010-July/000163.html",
            },
            {
               name: "[oss-security] 20100916 Re: CVE-identifier request for Dovecot ACL security bug",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2010/09/16/17",
            },
            {
               name: "USN-1059-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "http://www.ubuntu.com/usn/USN-1059-1",
            },
            {
               name: "41964",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/41964",
            },
            {
               name: "[oss-security] 20100916 CVE-identifier request for Dovecot ACL security bug",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2010/09/16/14",
            },
            {
               name: "MDVSA-2010:217",
               tags: [
                  "vendor-advisory",
                  "x_refsource_MANDRIVA",
               ],
               url: "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217",
            },
            {
               name: "43220",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/43220",
            },
            {
               name: "ADV-2011-0301",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2011/0301",
            },
            {
               name: "ADV-2010-2840",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2010/2840",
            },
            {
               name: "SUSE-SR:2010:017",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2010-3304",
      datePublished: "2010-09-24T18:00:00",
      dateReserved: "2010-09-13T00:00:00",
      dateUpdated: "2024-08-07T03:03:18.915Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2010-3707
Vulnerability from cvelistv5
Published
2010-10-06 16:00
Modified
2024-08-07 03:18
Severity ?
Summary
plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving more specific entries that occur after less specific entries, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T03:18:52.913Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "[oss-security] 20101004 Re: CVE Request: more dovecot ACL issues",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://marc.info/?l=oss-security&m=128622064325688&w=2",
               },
               {
                  name: "USN-1059-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "http://www.ubuntu.com/usn/USN-1059-1",
               },
               {
                  name: "SUSE-SR:2010:020",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html",
               },
               {
                  name: "ADV-2010-2572",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2010/2572",
               },
               {
                  name: "[oss-security] 20101004 CVE Request: more dovecot ACL issues",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://marc.info/?l=oss-security&m=128620520732377&w=2",
               },
               {
                  name: "MDVSA-2010:217",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_MANDRIVA",
                     "x_transferred",
                  ],
                  url: "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217",
               },
               {
                  name: "43220",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/43220",
               },
               {
                  name: "ADV-2011-0301",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2011/0301",
               },
               {
                  name: "[dovecot] 20101002 v1.2.15 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot/2010-October/053450.html",
               },
               {
                  name: "[dovecot] 20101002 ACL handling bugs in v1.2.8+ and v2.0",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot/2010-October/053452.html",
               },
               {
                  name: "RHSA-2011:0600",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://www.redhat.com/support/errata/RHSA-2011-0600.html",
               },
               {
                  name: "ADV-2010-2840",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2010/2840",
               },
               {
                  name: "[dovecot] 20101002 v2.0.5 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot/2010-October/053451.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2010-10-02T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving more specific entries that occur after less specific entries, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2010-11-19T10:00:00",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               name: "[oss-security] 20101004 Re: CVE Request: more dovecot ACL issues",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://marc.info/?l=oss-security&m=128622064325688&w=2",
            },
            {
               name: "USN-1059-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "http://www.ubuntu.com/usn/USN-1059-1",
            },
            {
               name: "SUSE-SR:2010:020",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html",
            },
            {
               name: "ADV-2010-2572",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2010/2572",
            },
            {
               name: "[oss-security] 20101004 CVE Request: more dovecot ACL issues",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://marc.info/?l=oss-security&m=128620520732377&w=2",
            },
            {
               name: "MDVSA-2010:217",
               tags: [
                  "vendor-advisory",
                  "x_refsource_MANDRIVA",
               ],
               url: "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217",
            },
            {
               name: "43220",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/43220",
            },
            {
               name: "ADV-2011-0301",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2011/0301",
            },
            {
               name: "[dovecot] 20101002 v1.2.15 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot/2010-October/053450.html",
            },
            {
               name: "[dovecot] 20101002 ACL handling bugs in v1.2.8+ and v2.0",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot/2010-October/053452.html",
            },
            {
               name: "RHSA-2011:0600",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://www.redhat.com/support/errata/RHSA-2011-0600.html",
            },
            {
               name: "ADV-2010-2840",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2010/2840",
            },
            {
               name: "[dovecot] 20101002 v2.0.5 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot/2010-October/053451.html",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2010-3707",
      datePublished: "2010-10-06T16:00:00",
      dateReserved: "2010-10-01T00:00:00",
      dateUpdated: "2024-08-07T03:18:52.913Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-12674
Vulnerability from cvelistv5
Published
2020-08-12 15:20
Modified
2024-08-04 12:04
Severity ?
Summary
In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T12:04:22.541Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/security",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://www.openwall.com/lists/oss-security/2020/08/12/3",
               },
               {
                  name: "DSA-4745",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2020/dsa-4745",
               },
               {
                  name: "[debian-lts-announce] 20200815 [SECURITY] [DLA 2328-1] dovecot security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html",
               },
               {
                  name: "USN-4456-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/4456-1/",
               },
               {
                  name: "USN-4456-2",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/4456-2/",
               },
               {
                  name: "openSUSE-SU-2020:1241",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html",
               },
               {
                  name: "openSUSE-SU-2020:1262",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html",
               },
               {
                  name: "FEDORA-2020-cd8b8f887b",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/",
               },
               {
                  name: "GLSA-202009-02",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202009-02",
               },
               {
                  name: "FEDORA-2020-b8ebc4201e",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/",
               },
               {
                  name: "FEDORA-2020-d737c57172",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-10-13T21:06:09",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://dovecot.org/security",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://www.openwall.com/lists/oss-security/2020/08/12/3",
            },
            {
               name: "DSA-4745",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "https://www.debian.org/security/2020/dsa-4745",
            },
            {
               name: "[debian-lts-announce] 20200815 [SECURITY] [DLA 2328-1] dovecot security update",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html",
            },
            {
               name: "USN-4456-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/4456-1/",
            },
            {
               name: "USN-4456-2",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/4456-2/",
            },
            {
               name: "openSUSE-SU-2020:1241",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html",
            },
            {
               name: "openSUSE-SU-2020:1262",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html",
            },
            {
               name: "FEDORA-2020-cd8b8f887b",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/",
            },
            {
               name: "GLSA-202009-02",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "https://security.gentoo.org/glsa/202009-02",
            },
            {
               name: "FEDORA-2020-b8ebc4201e",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/",
            },
            {
               name: "FEDORA-2020-d737c57172",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2020-12674",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://dovecot.org/security",
                     refsource: "MISC",
                     url: "https://dovecot.org/security",
                  },
                  {
                     name: "https://www.openwall.com/lists/oss-security/2020/08/12/3",
                     refsource: "CONFIRM",
                     url: "https://www.openwall.com/lists/oss-security/2020/08/12/3",
                  },
                  {
                     name: "DSA-4745",
                     refsource: "DEBIAN",
                     url: "https://www.debian.org/security/2020/dsa-4745",
                  },
                  {
                     name: "[debian-lts-announce] 20200815 [SECURITY] [DLA 2328-1] dovecot security update",
                     refsource: "MLIST",
                     url: "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html",
                  },
                  {
                     name: "USN-4456-1",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/4456-1/",
                  },
                  {
                     name: "USN-4456-2",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/4456-2/",
                  },
                  {
                     name: "openSUSE-SU-2020:1241",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html",
                  },
                  {
                     name: "openSUSE-SU-2020:1262",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html",
                  },
                  {
                     name: "FEDORA-2020-cd8b8f887b",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/",
                  },
                  {
                     name: "GLSA-202009-02",
                     refsource: "GENTOO",
                     url: "https://security.gentoo.org/glsa/202009-02",
                  },
                  {
                     name: "FEDORA-2020-b8ebc4201e",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/",
                  },
                  {
                     name: "FEDORA-2020-d737c57172",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2020-12674",
      datePublished: "2020-08-12T15:20:29",
      dateReserved: "2020-05-06T00:00:00",
      dateUpdated: "2024-08-04T12:04:22.541Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2010-0745
Vulnerability from cvelistv5
Published
2010-05-20 17:00
Modified
2024-08-07 00:59
Severity ?
Summary
Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows remote attackers to cause a denial of service (CPU consumption) via long headers in an e-mail message.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T00:59:39.007Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://security-tracker.debian.org/tracker/CVE-2010-0745",
               },
               {
                  name: "ADV-2010-1107",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2010/1107",
               },
               {
                  name: "[dovecot] 20100227 Possible CPU Denial-Of-Service attack to dovecot IMAP.",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://dovecot.org/pipermail/dovecot/2010-February/047190.html",
               },
               {
                  name: "SUSE-SR:2010:011",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html",
               },
               {
                  name: "MDVSA-2010:104",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_MANDRIVA",
                     "x_transferred",
                  ],
                  url: "http://www.mandriva.com/security/advisories?name=MDVSA-2010:104",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://bugzilla.redhat.com/show_bug.cgi?id=572268",
               },
               {
                  name: "ADV-2010-1226",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2010/1226",
               },
               {
                  name: "[oss-security] 20100310 CVE Request -- Dovecot v1.2.11 -- DoS (excessive CPU use) by processing email with huge header",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2010/03/10/6",
               },
               {
                  name: "[dovecot-news] 20100308 v1.2.11 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://dovecot.org/list/dovecot-news/2010-March/000152.html",
               },
               {
                  name: "[oss-security] 20100401 Re: CVE Request -- Dovecot v1.2.11 -- DoS (excessive CPU use) by processing email with huge header",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://marc.info/?l=oss-security&m=127013715227551&w=2",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2010-02-27T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows remote attackers to cause a denial of service (CPU consumption) via long headers in an e-mail message.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2010-04-30T09:00:00",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://security-tracker.debian.org/tracker/CVE-2010-0745",
            },
            {
               name: "ADV-2010-1107",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2010/1107",
            },
            {
               name: "[dovecot] 20100227 Possible CPU Denial-Of-Service attack to dovecot IMAP.",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://dovecot.org/pipermail/dovecot/2010-February/047190.html",
            },
            {
               name: "SUSE-SR:2010:011",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html",
            },
            {
               name: "MDVSA-2010:104",
               tags: [
                  "vendor-advisory",
                  "x_refsource_MANDRIVA",
               ],
               url: "http://www.mandriva.com/security/advisories?name=MDVSA-2010:104",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=572268",
            },
            {
               name: "ADV-2010-1226",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2010/1226",
            },
            {
               name: "[oss-security] 20100310 CVE Request -- Dovecot v1.2.11 -- DoS (excessive CPU use) by processing email with huge header",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2010/03/10/6",
            },
            {
               name: "[dovecot-news] 20100308 v1.2.11 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://dovecot.org/list/dovecot-news/2010-March/000152.html",
            },
            {
               name: "[oss-security] 20100401 Re: CVE Request -- Dovecot v1.2.11 -- DoS (excessive CPU use) by processing email with huge header",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://marc.info/?l=oss-security&m=127013715227551&w=2",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2010-0745",
      datePublished: "2010-05-20T17:00:00",
      dateReserved: "2010-02-26T00:00:00",
      dateUpdated: "2024-08-07T00:59:39.007Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2007-6598
Vulnerability from cvelistv5
Published
2008-01-04 02:00
Modified
2024-08-07 16:11
Severity ?
Summary
Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password.
References
http://secunia.com/advisories/28434third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/30342third-party-advisory, x_refsource_SECUNIA
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10458vdb-entry, signature, x_refsource_OVAL
http://www.securityfocus.com/archive/1/485787/100/0/threadedmailing-list, x_refsource_BUGTRAQ
http://www.redhat.com/support/errata/RHSA-2008-0297.htmlvendor-advisory, x_refsource_REDHAT
http://www.ubuntu.com/usn/usn-567-1vendor-advisory, x_refsource_UBUNTU
http://www.securityfocus.com/bid/27093vdb-entry, x_refsource_BID
http://www.vupen.com/english/advisories/2008/0017vdb-entry, x_refsource_VUPEN
http://osvdb.org/39876vdb-entry, x_refsource_OSVDB
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.htmlvendor-advisory, x_refsource_SUSE
http://www.securityfocus.com/archive/1/485779/100/0/threadedmailing-list, x_refsource_BUGTRAQ
http://www.debian.org/security/2008/dsa-1457vendor-advisory, x_refsource_DEBIAN
http://dovecot.org/list/dovecot-news/2007-December/000057.htmlmailing-list, x_refsource_MLIST
http://secunia.com/advisories/32151third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/28404third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/28271third-party-advisory, x_refsource_SECUNIA
http://dovecot.org/list/dovecot-news/2007-December/000058.htmlmailing-list, x_refsource_MLIST
https://issues.rpath.com/browse/RPL-2076x_refsource_CONFIRM
http://secunia.com/advisories/28227third-party-advisory, x_refsource_SECUNIA
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T16:11:06.066Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "28434",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/28434",
               },
               {
                  name: "30342",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/30342",
               },
               {
                  name: "oval:org.mitre.oval:def:10458",
                  tags: [
                     "vdb-entry",
                     "signature",
                     "x_refsource_OVAL",
                     "x_transferred",
                  ],
                  url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10458",
               },
               {
                  name: "20080103 Re: rPSA-2008-0001-1 dovecot",
                  tags: [
                     "mailing-list",
                     "x_refsource_BUGTRAQ",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/archive/1/485787/100/0/threaded",
               },
               {
                  name: "RHSA-2008:0297",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html",
               },
               {
                  name: "USN-567-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "http://www.ubuntu.com/usn/usn-567-1",
               },
               {
                  name: "27093",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/27093",
               },
               {
                  name: "ADV-2008-0017",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2008/0017",
               },
               {
                  name: "39876",
                  tags: [
                     "vdb-entry",
                     "x_refsource_OSVDB",
                     "x_transferred",
                  ],
                  url: "http://osvdb.org/39876",
               },
               {
                  name: "SUSE-SR:2008:020",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html",
               },
               {
                  name: "20080103 rPSA-2008-0001-1 dovecot",
                  tags: [
                     "mailing-list",
                     "x_refsource_BUGTRAQ",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/archive/1/485779/100/0/threaded",
               },
               {
                  name: "DSA-1457",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "http://www.debian.org/security/2008/dsa-1457",
               },
               {
                  name: "[Dovecot-news] 20071221 Security hole #4: Specific LDAP + auth cache configuration may mix up user logins",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://dovecot.org/list/dovecot-news/2007-December/000057.html",
               },
               {
                  name: "32151",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/32151",
               },
               {
                  name: "28404",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/28404",
               },
               {
                  name: "28271",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/28271",
               },
               {
                  name: "[Dovecot-news] 20071229 v1.0.10 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://dovecot.org/list/dovecot-news/2007-December/000058.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://issues.rpath.com/browse/RPL-2076",
               },
               {
                  name: "28227",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/28227",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2007-12-21T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2018-10-15T20:57:01",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               name: "28434",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/28434",
            },
            {
               name: "30342",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/30342",
            },
            {
               name: "oval:org.mitre.oval:def:10458",
               tags: [
                  "vdb-entry",
                  "signature",
                  "x_refsource_OVAL",
               ],
               url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10458",
            },
            {
               name: "20080103 Re: rPSA-2008-0001-1 dovecot",
               tags: [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
               ],
               url: "http://www.securityfocus.com/archive/1/485787/100/0/threaded",
            },
            {
               name: "RHSA-2008:0297",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html",
            },
            {
               name: "USN-567-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "http://www.ubuntu.com/usn/usn-567-1",
            },
            {
               name: "27093",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/27093",
            },
            {
               name: "ADV-2008-0017",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2008/0017",
            },
            {
               name: "39876",
               tags: [
                  "vdb-entry",
                  "x_refsource_OSVDB",
               ],
               url: "http://osvdb.org/39876",
            },
            {
               name: "SUSE-SR:2008:020",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html",
            },
            {
               name: "20080103 rPSA-2008-0001-1 dovecot",
               tags: [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
               ],
               url: "http://www.securityfocus.com/archive/1/485779/100/0/threaded",
            },
            {
               name: "DSA-1457",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "http://www.debian.org/security/2008/dsa-1457",
            },
            {
               name: "[Dovecot-news] 20071221 Security hole #4: Specific LDAP + auth cache configuration may mix up user logins",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://dovecot.org/list/dovecot-news/2007-December/000057.html",
            },
            {
               name: "32151",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/32151",
            },
            {
               name: "28404",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/28404",
            },
            {
               name: "28271",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/28271",
            },
            {
               name: "[Dovecot-news] 20071229 v1.0.10 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://dovecot.org/list/dovecot-news/2007-December/000058.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://issues.rpath.com/browse/RPL-2076",
            },
            {
               name: "28227",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/28227",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2007-6598",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "28434",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/28434",
                  },
                  {
                     name: "30342",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/30342",
                  },
                  {
                     name: "oval:org.mitre.oval:def:10458",
                     refsource: "OVAL",
                     url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10458",
                  },
                  {
                     name: "20080103 Re: rPSA-2008-0001-1 dovecot",
                     refsource: "BUGTRAQ",
                     url: "http://www.securityfocus.com/archive/1/485787/100/0/threaded",
                  },
                  {
                     name: "RHSA-2008:0297",
                     refsource: "REDHAT",
                     url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html",
                  },
                  {
                     name: "USN-567-1",
                     refsource: "UBUNTU",
                     url: "http://www.ubuntu.com/usn/usn-567-1",
                  },
                  {
                     name: "27093",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/27093",
                  },
                  {
                     name: "ADV-2008-0017",
                     refsource: "VUPEN",
                     url: "http://www.vupen.com/english/advisories/2008/0017",
                  },
                  {
                     name: "39876",
                     refsource: "OSVDB",
                     url: "http://osvdb.org/39876",
                  },
                  {
                     name: "SUSE-SR:2008:020",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html",
                  },
                  {
                     name: "20080103 rPSA-2008-0001-1 dovecot",
                     refsource: "BUGTRAQ",
                     url: "http://www.securityfocus.com/archive/1/485779/100/0/threaded",
                  },
                  {
                     name: "DSA-1457",
                     refsource: "DEBIAN",
                     url: "http://www.debian.org/security/2008/dsa-1457",
                  },
                  {
                     name: "[Dovecot-news] 20071221 Security hole #4: Specific LDAP + auth cache configuration may mix up user logins",
                     refsource: "MLIST",
                     url: "http://dovecot.org/list/dovecot-news/2007-December/000057.html",
                  },
                  {
                     name: "32151",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/32151",
                  },
                  {
                     name: "28404",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/28404",
                  },
                  {
                     name: "28271",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/28271",
                  },
                  {
                     name: "[Dovecot-news] 20071229 v1.0.10 released",
                     refsource: "MLIST",
                     url: "http://dovecot.org/list/dovecot-news/2007-December/000058.html",
                  },
                  {
                     name: "https://issues.rpath.com/browse/RPL-2076",
                     refsource: "CONFIRM",
                     url: "https://issues.rpath.com/browse/RPL-2076",
                  },
                  {
                     name: "28227",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/28227",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2007-6598",
      datePublished: "2008-01-04T02:00:00",
      dateReserved: "2007-12-31T00:00:00",
      dateUpdated: "2024-08-07T16:11:06.066Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-7957
Vulnerability from cvelistv5
Published
2020-02-12 16:50
Modified
2024-08-04 09:48
Summary
The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a denial of service in which the recipient cannot read all of their messages.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T09:48:24.611Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/security",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2020/02/12/2",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html",
               },
               {
                  name: "FEDORA-2020-10a58fda28",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/",
               },
               {
                  name: "FEDORA-2020-0e6a67af5a",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a denial of service in which the recipient cannot read all of their messages.",
            },
         ],
         metrics: [
            {
               cvssV3_0: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 3.1,
                  baseSeverity: "LOW",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.0/AC:H/AV:N/A:L/C:N/I:N/PR:N/S:U/UI:R",
                  version: "3.0",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-02-20T06:06:09",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://dovecot.org/security",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://www.openwall.com/lists/oss-security/2020/02/12/2",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html",
            },
            {
               name: "FEDORA-2020-10a58fda28",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/",
            },
            {
               name: "FEDORA-2020-0e6a67af5a",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2020-7957",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a denial of service in which the recipient cannot read all of their messages.",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.0/AC:H/AV:N/A:L/C:N/I:N/PR:N/S:U/UI:R",
                  version: "3.0",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://dovecot.org/security",
                     refsource: "MISC",
                     url: "https://dovecot.org/security",
                  },
                  {
                     name: "http://www.openwall.com/lists/oss-security/2020/02/12/2",
                     refsource: "CONFIRM",
                     url: "http://www.openwall.com/lists/oss-security/2020/02/12/2",
                  },
                  {
                     name: "https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html",
                     refsource: "CONFIRM",
                     url: "https://dovecot.org/pipermail/dovecot-news/2020-February/000430.html",
                  },
                  {
                     name: "FEDORA-2020-10a58fda28",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/",
                  },
                  {
                     name: "FEDORA-2020-0e6a67af5a",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2020-7957",
      datePublished: "2020-02-12T16:50:56",
      dateReserved: "2020-01-24T00:00:00",
      dateUpdated: "2024-08-04T09:48:24.611Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2016-4983
Vulnerability from cvelistv5
Published
2019-11-05 21:45
Modified
2024-08-06 00:46
Severity ?
Summary
A postinstall script in the dovecot rpm allows local users to read the contents of newly created SSL/TLS key files.
Impacted products
Vendor Product Version
Fedora dovecot22 Version: dovecot22-2.2.18-9.1
Fedora dovecot22 Version: dovecot22-2.2.13-3.7.1
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-06T00:46:39.893Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://bugzilla.suse.com/show_bug.cgi?id=984639",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://bugzilla.redhat.com/show_bug.cgi?id=1346055",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-updates/2016-11/msg00096.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "dovecot22",
               vendor: "Fedora",
               versions: [
                  {
                     status: "affected",
                     version: "dovecot22-2.2.25-3.1",
                  },
               ],
            },
            {
               product: "dovecot22",
               vendor: "Fedora",
               versions: [
                  {
                     status: "affected",
                     version: "dovecot22-2.2.18-9.1",
                  },
               ],
            },
            {
               product: "dovecot22",
               vendor: "Fedora",
               versions: [
                  {
                     status: "affected",
                     version: "dovecot22-2.2.13-3.7.1",
                  },
               ],
            },
         ],
         datePublic: "2016-06-13T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "A postinstall script in the dovecot rpm allows local users to read the contents of newly created SSL/TLS key files.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "Other",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2019-11-05T21:45:36",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://bugzilla.suse.com/show_bug.cgi?id=984639",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1346055",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://lists.opensuse.org/opensuse-updates/2016-11/msg00096.html",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2016-4983",
      datePublished: "2019-11-05T21:45:36",
      dateReserved: "2016-05-24T00:00:00",
      dateUpdated: "2024-08-06T00:46:39.893Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2011-2167
Vulnerability from cvelistv5
Published
2011-05-24 23:00
Modified
2024-08-06 22:53
Severity ?
Summary
script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script.
References
http://www.dovecot.org/doc/NEWS-2.0x_refsource_CONFIRM
http://dovecot.org/pipermail/dovecot/2011-May/059085.htmlmailing-list, x_refsource_MLIST
http://rhn.redhat.com/errata/RHSA-2013-0520.htmlvendor-advisory, x_refsource_REDHAT
http://secunia.com/advisories/52311third-party-advisory, x_refsource_SECUNIA
http://www.securityfocus.com/bid/48003vdb-entry, x_refsource_BID
http://openwall.com/lists/oss-security/2011/05/18/4mailing-list, x_refsource_MLIST
https://exchange.xforce.ibmcloud.com/vulnerabilities/67674vdb-entry, x_refsource_XF
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-06T22:53:16.945Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/doc/NEWS-2.0",
               },
               {
                  name: "[dovecot] 20110511 v2.0.13 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://dovecot.org/pipermail/dovecot/2011-May/059085.html",
               },
               {
                  name: "RHSA-2013:0520",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://rhn.redhat.com/errata/RHSA-2013-0520.html",
               },
               {
                  name: "52311",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/52311",
               },
               {
                  name: "48003",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/48003",
               },
               {
                  name: "[oss-security] 20110518 Dovecot releases",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://openwall.com/lists/oss-security/2011/05/18/4",
               },
               {
                  name: "dovecot-scriptlogin-dir-traversal(67674)",
                  tags: [
                     "vdb-entry",
                     "x_refsource_XF",
                     "x_transferred",
                  ],
                  url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/67674",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2011-05-11T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2017-08-28T12:57:01",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://www.dovecot.org/doc/NEWS-2.0",
            },
            {
               name: "[dovecot] 20110511 v2.0.13 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://dovecot.org/pipermail/dovecot/2011-May/059085.html",
            },
            {
               name: "RHSA-2013:0520",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://rhn.redhat.com/errata/RHSA-2013-0520.html",
            },
            {
               name: "52311",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/52311",
            },
            {
               name: "48003",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/48003",
            },
            {
               name: "[oss-security] 20110518 Dovecot releases",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://openwall.com/lists/oss-security/2011/05/18/4",
            },
            {
               name: "dovecot-scriptlogin-dir-traversal(67674)",
               tags: [
                  "vdb-entry",
                  "x_refsource_XF",
               ],
               url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/67674",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2011-2167",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "http://www.dovecot.org/doc/NEWS-2.0",
                     refsource: "CONFIRM",
                     url: "http://www.dovecot.org/doc/NEWS-2.0",
                  },
                  {
                     name: "[dovecot] 20110511 v2.0.13 released",
                     refsource: "MLIST",
                     url: "http://dovecot.org/pipermail/dovecot/2011-May/059085.html",
                  },
                  {
                     name: "RHSA-2013:0520",
                     refsource: "REDHAT",
                     url: "http://rhn.redhat.com/errata/RHSA-2013-0520.html",
                  },
                  {
                     name: "52311",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/52311",
                  },
                  {
                     name: "48003",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/48003",
                  },
                  {
                     name: "[oss-security] 20110518 Dovecot releases",
                     refsource: "MLIST",
                     url: "http://openwall.com/lists/oss-security/2011/05/18/4",
                  },
                  {
                     name: "dovecot-scriptlogin-dir-traversal(67674)",
                     refsource: "XF",
                     url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/67674",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2011-2167",
      datePublished: "2011-05-24T23:00:00",
      dateReserved: "2011-05-24T00:00:00",
      dateUpdated: "2024-08-06T22:53:16.945Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-10958
Vulnerability from cvelistv5
Published
2020-05-18 14:00
Modified
2024-08-04 11:21
Summary
In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T11:21:13.881Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/security",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://www.openwall.com/lists/oss-security/2020/05/18/1",
               },
               {
                  name: "[oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2020/05/18/1",
               },
               {
                  name: "USN-4361-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/4361-1/",
               },
               {
                  name: "20200519 Multiple vulnerabilities in Dovecot IMAP server",
                  tags: [
                     "mailing-list",
                     "x_refsource_FULLDISC",
                     "x_transferred",
                  ],
                  url: "http://seclists.org/fulldisclosure/2020/May/37",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html",
               },
               {
                  name: "DSA-4690",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2020/dsa-4690",
               },
               {
                  name: "FEDORA-2020-1dee17d880",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/",
               },
               {
                  name: "openSUSE-SU-2020:0720",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html",
               },
               {
                  name: "FEDORA-2020-b60344c987",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command.",
            },
         ],
         metrics: [
            {
               cvssV3_0: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AC:L/AV:N/A:L/C:N/I:N/PR:N/S:U/UI:N",
                  version: "3.0",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-05-28T03:06:13",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://dovecot.org/security",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://www.openwall.com/lists/oss-security/2020/05/18/1",
            },
            {
               name: "[oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2020/05/18/1",
            },
            {
               name: "USN-4361-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/4361-1/",
            },
            {
               name: "20200519 Multiple vulnerabilities in Dovecot IMAP server",
               tags: [
                  "mailing-list",
                  "x_refsource_FULLDISC",
               ],
               url: "http://seclists.org/fulldisclosure/2020/May/37",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html",
            },
            {
               name: "DSA-4690",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "https://www.debian.org/security/2020/dsa-4690",
            },
            {
               name: "FEDORA-2020-1dee17d880",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/",
            },
            {
               name: "openSUSE-SU-2020:0720",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html",
            },
            {
               name: "FEDORA-2020-b60344c987",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2020-10958",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command.",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AC:L/AV:N/A:L/C:N/I:N/PR:N/S:U/UI:N",
                  version: "3.0",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://dovecot.org/security",
                     refsource: "MISC",
                     url: "https://dovecot.org/security",
                  },
                  {
                     name: "https://www.openwall.com/lists/oss-security/2020/05/18/1",
                     refsource: "CONFIRM",
                     url: "https://www.openwall.com/lists/oss-security/2020/05/18/1",
                  },
                  {
                     name: "[oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2020/05/18/1",
                  },
                  {
                     name: "USN-4361-1",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/4361-1/",
                  },
                  {
                     name: "20200519 Multiple vulnerabilities in Dovecot IMAP server",
                     refsource: "FULLDISC",
                     url: "http://seclists.org/fulldisclosure/2020/May/37",
                  },
                  {
                     name: "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html",
                     refsource: "MISC",
                     url: "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html",
                  },
                  {
                     name: "DSA-4690",
                     refsource: "DEBIAN",
                     url: "https://www.debian.org/security/2020/dsa-4690",
                  },
                  {
                     name: "FEDORA-2020-1dee17d880",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/",
                  },
                  {
                     name: "openSUSE-SU-2020:0720",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html",
                  },
                  {
                     name: "FEDORA-2020-b60344c987",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2020-10958",
      datePublished: "2020-05-18T14:00:33",
      dateReserved: "2020-03-25T00:00:00",
      dateUpdated: "2024-08-04T11:21:13.881Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-12100
Vulnerability from cvelistv5
Published
2020-08-12 15:07
Modified
2024-08-04 11:48
Severity ?
Summary
In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T11:48:57.941Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/security",
               },
               {
                  name: "[oss-security] 20200812 CVE-2020-12100: Dovecot IMAP server: Receiving mail with deeply nested MIME parts leads to resource exhaustion",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2020/08/12/1",
               },
               {
                  name: "DSA-4745",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2020/dsa-4745",
               },
               {
                  name: "[debian-lts-announce] 20200815 [SECURITY] [DLA 2328-1] dovecot security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html",
               },
               {
                  name: "USN-4456-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/4456-1/",
               },
               {
                  name: "USN-4456-2",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/4456-2/",
               },
               {
                  name: "FEDORA-2020-cd8b8f887b",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/",
               },
               {
                  name: "GLSA-202009-02",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202009-02",
               },
               {
                  name: "FEDORA-2020-b8ebc4201e",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/",
               },
               {
                  name: "FEDORA-2020-d737c57172",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/",
               },
               {
                  name: "[oss-security] 20210104 CVE-2020-25275: Dovecot: MIME parsing crash",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2021/01/04/3",
               },
               {
                  name: "20210106 CVE-2020-24386: IMAP hibernation allows accessing other peoples mail",
                  tags: [
                     "mailing-list",
                     "x_refsource_FULLDISC",
                     "x_transferred",
                  ],
                  url: "http://seclists.org/fulldisclosure/2021/Jan/18",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2021-01-06T22:06:10",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://dovecot.org/security",
            },
            {
               name: "[oss-security] 20200812 CVE-2020-12100: Dovecot IMAP server: Receiving mail with deeply nested MIME parts leads to resource exhaustion",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2020/08/12/1",
            },
            {
               name: "DSA-4745",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "https://www.debian.org/security/2020/dsa-4745",
            },
            {
               name: "[debian-lts-announce] 20200815 [SECURITY] [DLA 2328-1] dovecot security update",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html",
            },
            {
               name: "USN-4456-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/4456-1/",
            },
            {
               name: "USN-4456-2",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/4456-2/",
            },
            {
               name: "FEDORA-2020-cd8b8f887b",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/",
            },
            {
               name: "GLSA-202009-02",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "https://security.gentoo.org/glsa/202009-02",
            },
            {
               name: "FEDORA-2020-b8ebc4201e",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/",
            },
            {
               name: "FEDORA-2020-d737c57172",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/",
            },
            {
               name: "[oss-security] 20210104 CVE-2020-25275: Dovecot: MIME parsing crash",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2021/01/04/3",
            },
            {
               name: "20210106 CVE-2020-24386: IMAP hibernation allows accessing other peoples mail",
               tags: [
                  "mailing-list",
                  "x_refsource_FULLDISC",
               ],
               url: "http://seclists.org/fulldisclosure/2021/Jan/18",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2020-12100",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://dovecot.org/security",
                     refsource: "MISC",
                     url: "https://dovecot.org/security",
                  },
                  {
                     name: "[oss-security] 20200812 CVE-2020-12100: Dovecot IMAP server: Receiving mail with deeply nested MIME parts leads to resource exhaustion",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2020/08/12/1",
                  },
                  {
                     name: "DSA-4745",
                     refsource: "DEBIAN",
                     url: "https://www.debian.org/security/2020/dsa-4745",
                  },
                  {
                     name: "[debian-lts-announce] 20200815 [SECURITY] [DLA 2328-1] dovecot security update",
                     refsource: "MLIST",
                     url: "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html",
                  },
                  {
                     name: "USN-4456-1",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/4456-1/",
                  },
                  {
                     name: "USN-4456-2",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/4456-2/",
                  },
                  {
                     name: "FEDORA-2020-cd8b8f887b",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/",
                  },
                  {
                     name: "GLSA-202009-02",
                     refsource: "GENTOO",
                     url: "https://security.gentoo.org/glsa/202009-02",
                  },
                  {
                     name: "FEDORA-2020-b8ebc4201e",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/",
                  },
                  {
                     name: "FEDORA-2020-d737c57172",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/",
                  },
                  {
                     name: "[oss-security] 20210104 CVE-2020-25275: Dovecot: MIME parsing crash",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2021/01/04/3",
                  },
                  {
                     name: "20210106 CVE-2020-24386: IMAP hibernation allows accessing other peoples mail",
                     refsource: "FULLDISC",
                     url: "http://seclists.org/fulldisclosure/2021/Jan/18",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2020-12100",
      datePublished: "2020-08-12T15:07:52",
      dateReserved: "2020-04-23T00:00:00",
      dateUpdated: "2024-08-04T11:48:57.941Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2010-3779
Vulnerability from cvelistv5
Published
2010-10-06 20:00
Modified
2024-08-07 03:18
Severity ?
Summary
Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin permission to the owner of each mailbox in a non-public namespace, which might allow remote authenticated users to bypass intended access restrictions by changing the ACL of a mailbox, as demonstrated by a symlinked shared mailbox.
References
http://www.ubuntu.com/usn/USN-1059-1vendor-advisory, x_refsource_UBUNTU
http://www.mandriva.com/security/advisories?name=MDVSA-2010:217vendor-advisory, x_refsource_MANDRIVA
http://secunia.com/advisories/43220third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2011/0301vdb-entry, x_refsource_VUPEN
http://www.dovecot.org/list/dovecot/2010-October/053450.htmlmailing-list, x_refsource_MLIST
http://www.dovecot.org/list/dovecot/2010-October/053452.htmlmailing-list, x_refsource_MLIST
http://www.vupen.com/english/advisories/2010/2840vdb-entry, x_refsource_VUPEN
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T03:18:53.196Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "USN-1059-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "http://www.ubuntu.com/usn/USN-1059-1",
               },
               {
                  name: "MDVSA-2010:217",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_MANDRIVA",
                     "x_transferred",
                  ],
                  url: "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217",
               },
               {
                  name: "43220",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/43220",
               },
               {
                  name: "ADV-2011-0301",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2011/0301",
               },
               {
                  name: "[dovecot] 20101002 v1.2.15 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot/2010-October/053450.html",
               },
               {
                  name: "[dovecot] 20101002 ACL handling bugs in v1.2.8+ and v2.0",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot/2010-October/053452.html",
               },
               {
                  name: "ADV-2010-2840",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2010/2840",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2010-10-02T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin permission to the owner of each mailbox in a non-public namespace, which might allow remote authenticated users to bypass intended access restrictions by changing the ACL of a mailbox, as demonstrated by a symlinked shared mailbox.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2010-11-19T10:00:00",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               name: "USN-1059-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "http://www.ubuntu.com/usn/USN-1059-1",
            },
            {
               name: "MDVSA-2010:217",
               tags: [
                  "vendor-advisory",
                  "x_refsource_MANDRIVA",
               ],
               url: "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217",
            },
            {
               name: "43220",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/43220",
            },
            {
               name: "ADV-2011-0301",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2011/0301",
            },
            {
               name: "[dovecot] 20101002 v1.2.15 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot/2010-October/053450.html",
            },
            {
               name: "[dovecot] 20101002 ACL handling bugs in v1.2.8+ and v2.0",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot/2010-October/053452.html",
            },
            {
               name: "ADV-2010-2840",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2010/2840",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2010-3779",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin permission to the owner of each mailbox in a non-public namespace, which might allow remote authenticated users to bypass intended access restrictions by changing the ACL of a mailbox, as demonstrated by a symlinked shared mailbox.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "USN-1059-1",
                     refsource: "UBUNTU",
                     url: "http://www.ubuntu.com/usn/USN-1059-1",
                  },
                  {
                     name: "MDVSA-2010:217",
                     refsource: "MANDRIVA",
                     url: "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217",
                  },
                  {
                     name: "43220",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/43220",
                  },
                  {
                     name: "ADV-2011-0301",
                     refsource: "VUPEN",
                     url: "http://www.vupen.com/english/advisories/2011/0301",
                  },
                  {
                     name: "[dovecot] 20101002 v1.2.15 released",
                     refsource: "MLIST",
                     url: "http://www.dovecot.org/list/dovecot/2010-October/053450.html",
                  },
                  {
                     name: "[dovecot] 20101002 ACL handling bugs in v1.2.8+ and v2.0",
                     refsource: "MLIST",
                     url: "http://www.dovecot.org/list/dovecot/2010-October/053452.html",
                  },
                  {
                     name: "ADV-2010-2840",
                     refsource: "VUPEN",
                     url: "http://www.vupen.com/english/advisories/2010/2840",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2010-3779",
      datePublished: "2010-10-06T20:00:00",
      dateReserved: "2010-10-06T00:00:00",
      dateUpdated: "2024-08-07T03:18:53.196Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2016-8652
Vulnerability from cvelistv5
Published
2017-02-16 18:00
Modified
2024-08-06 02:27
Severity ?
Summary
The auth component in Dovecot before 2.2.27, when auth-policy is configured, allows a remote attackers to cause a denial of service (crash) by aborting authentication without setting a username.
References
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-06T02:27:41.255Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "94639",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/94639",
               },
               {
                  name: "[oss-security] 20161202 Important vulnerability in Dovecot (CVE-2016-8652)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2016/12/02/4",
               },
               {
                  name: "[dovecot-news] 20161203 v2.2.27 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://dovecot.org/pipermail/dovecot-news/2016-December/000333.html",
               },
               {
                  name: "[oss-security] 20161205 Re: Important vulnerability in Dovecot (CVE-2016-8652)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2016/12/05/12",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2016-12-02T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "The auth component in Dovecot before 2.2.27, when auth-policy is configured, allows a remote attackers to cause a denial of service (crash) by aborting authentication without setting a username.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2017-02-16T17:57:01",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               name: "94639",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/94639",
            },
            {
               name: "[oss-security] 20161202 Important vulnerability in Dovecot (CVE-2016-8652)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2016/12/02/4",
            },
            {
               name: "[dovecot-news] 20161203 v2.2.27 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://dovecot.org/pipermail/dovecot-news/2016-December/000333.html",
            },
            {
               name: "[oss-security] 20161205 Re: Important vulnerability in Dovecot (CVE-2016-8652)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2016/12/05/12",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "secalert@redhat.com",
               ID: "CVE-2016-8652",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "The auth component in Dovecot before 2.2.27, when auth-policy is configured, allows a remote attackers to cause a denial of service (crash) by aborting authentication without setting a username.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "94639",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/94639",
                  },
                  {
                     name: "[oss-security] 20161202 Important vulnerability in Dovecot (CVE-2016-8652)",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2016/12/02/4",
                  },
                  {
                     name: "[dovecot-news] 20161203 v2.2.27 released",
                     refsource: "MLIST",
                     url: "http://dovecot.org/pipermail/dovecot-news/2016-December/000333.html",
                  },
                  {
                     name: "[oss-security] 20161205 Re: Important vulnerability in Dovecot (CVE-2016-8652)",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2016/12/05/12",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2016-8652",
      datePublished: "2017-02-16T18:00:00",
      dateReserved: "2016-10-12T00:00:00",
      dateUpdated: "2024-08-06T02:27:41.255Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2019-3814
Vulnerability from cvelistv5
Published
2019-03-27 12:20
Modified
2024-08-04 19:19
Summary
It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T19:19:18.590Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.dovecot.org/list/dovecot/2019-February/114575.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814",
               },
               {
                  name: "openSUSE-SU-2019:1220",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html",
               },
               {
                  name: "GLSA-201904-19",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/201904-19",
               },
               {
                  name: "FEDORA-2019-9e004decea",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/",
               },
               {
                  name: "FEDORA-2019-1b61a528dd",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/",
               },
               {
                  name: "RHSA-2019:3467",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "https://access.redhat.com/errata/RHSA-2019:3467",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "dovecot",
               vendor: "dovecot",
               versions: [
                  {
                     status: "affected",
                     version: "2.2.36.1",
                  },
                  {
                     status: "affected",
                     version: "2.3.4.1",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.",
            },
         ],
         metrics: [
            {
               cvssV3_0: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.7,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "HIGH",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
                  version: "3.0",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-295",
                     description: "CWE-295",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2019-11-06T00:08:03",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.dovecot.org/list/dovecot/2019-February/114575.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814",
            },
            {
               name: "openSUSE-SU-2019:1220",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html",
            },
            {
               name: "GLSA-201904-19",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "https://security.gentoo.org/glsa/201904-19",
            },
            {
               name: "FEDORA-2019-9e004decea",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/",
            },
            {
               name: "FEDORA-2019-1b61a528dd",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/",
            },
            {
               name: "RHSA-2019:3467",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/errata/RHSA-2019:3467",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "secalert@redhat.com",
               ID: "CVE-2019-3814",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "dovecot",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "2.2.36.1",
                                       },
                                       {
                                          version_value: "2.3.4.1",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "dovecot",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.",
                  },
               ],
            },
            impact: {
               cvss: [
                  [
                     {
                        vectorString: "7.7/CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
                        version: "3.0",
                     },
                  ],
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-295",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://www.dovecot.org/list/dovecot/2019-February/114575.html",
                     refsource: "MISC",
                     url: "https://www.dovecot.org/list/dovecot/2019-February/114575.html",
                  },
                  {
                     name: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814",
                     refsource: "CONFIRM",
                     url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814",
                  },
                  {
                     name: "openSUSE-SU-2019:1220",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html",
                  },
                  {
                     name: "GLSA-201904-19",
                     refsource: "GENTOO",
                     url: "https://security.gentoo.org/glsa/201904-19",
                  },
                  {
                     name: "FEDORA-2019-9e004decea",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/",
                  },
                  {
                     name: "FEDORA-2019-1b61a528dd",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/",
                  },
                  {
                     name: "RHSA-2019:3467",
                     refsource: "REDHAT",
                     url: "https://access.redhat.com/errata/RHSA-2019:3467",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2019-3814",
      datePublished: "2019-03-27T12:20:45",
      dateReserved: "2019-01-03T00:00:00",
      dateUpdated: "2024-08-04T19:19:18.590Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2019-19722
Vulnerability from cvelistv5
Published
2019-12-13 16:34
Modified
2024-08-05 02:25
Severity ?
Summary
In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T02:25:12.619Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/list/dovecot-news/2019-December/000428.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/security.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2019/12/13/3",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/pipermail/dovecot-news/2019-December/000428.html",
               },
               {
                  name: "FEDORA-2019-5898f4f935",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OZCJ3RBA4WIYGN7SOV4TW2AIHXPZATK/",
               },
               {
                  name: "FEDORA-2019-72e5ac943a",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PPB7PG5BM3MC5ZF2KHQ3UR7CZIO42BB/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-01-12T02:06:04",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://dovecot.org/list/dovecot-news/2019-December/000428.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://dovecot.org/security.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://www.openwall.com/lists/oss-security/2019/12/13/3",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://dovecot.org/pipermail/dovecot-news/2019-December/000428.html",
            },
            {
               name: "FEDORA-2019-5898f4f935",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OZCJ3RBA4WIYGN7SOV4TW2AIHXPZATK/",
            },
            {
               name: "FEDORA-2019-72e5ac943a",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PPB7PG5BM3MC5ZF2KHQ3UR7CZIO42BB/",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2019-19722",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://dovecot.org/list/dovecot-news/2019-December/000428.html",
                     refsource: "CONFIRM",
                     url: "https://dovecot.org/list/dovecot-news/2019-December/000428.html",
                  },
                  {
                     name: "https://dovecot.org/security.html",
                     refsource: "CONFIRM",
                     url: "https://dovecot.org/security.html",
                  },
                  {
                     name: "http://www.openwall.com/lists/oss-security/2019/12/13/3",
                     refsource: "CONFIRM",
                     url: "http://www.openwall.com/lists/oss-security/2019/12/13/3",
                  },
                  {
                     name: "https://dovecot.org/pipermail/dovecot-news/2019-December/000428.html",
                     refsource: "CONFIRM",
                     url: "https://dovecot.org/pipermail/dovecot-news/2019-December/000428.html",
                  },
                  {
                     name: "FEDORA-2019-5898f4f935",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OZCJ3RBA4WIYGN7SOV4TW2AIHXPZATK/",
                  },
                  {
                     name: "FEDORA-2019-72e5ac943a",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PPB7PG5BM3MC5ZF2KHQ3UR7CZIO42BB/",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2019-19722",
      datePublished: "2019-12-13T16:34:48",
      dateReserved: "2019-12-11T00:00:00",
      dateUpdated: "2024-08-05T02:25:12.619Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2008-4907
Vulnerability from cvelistv5
Published
2008-11-04 00:00
Modified
2024-08-07 10:31
Severity ?
Summary
The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka "invalid message address parsing bug."
References
http://www.dovecot.org/list/dovecot-news/2008-October/000089.htmlmailing-list, x_refsource_MLIST
http://secunia.com/advisories/33149third-party-advisory, x_refsource_SECUNIA
https://exchange.xforce.ibmcloud.com/vulnerabilities/46227vdb-entry, x_refsource_XF
http://www.ubuntu.com/usn/usn-666-1vendor-advisory, x_refsource_UBUNTU
http://www.securityfocus.com/bid/31997vdb-entry, x_refsource_BID
http://security.gentoo.org/glsa/glsa-200812-16.xmlvendor-advisory, x_refsource_GENTOO
http://secunia.com/advisories/32677third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/32479third-party-advisory, x_refsource_SECUNIA
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T10:31:28.281Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "[Dovecot-news] 20081030 v1.1.6 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot-news/2008-October/000089.html",
               },
               {
                  name: "33149",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/33149",
               },
               {
                  name: "dovecot-mail-header-dos(46227)",
                  tags: [
                     "vdb-entry",
                     "x_refsource_XF",
                     "x_transferred",
                  ],
                  url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/46227",
               },
               {
                  name: "USN-666-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "http://www.ubuntu.com/usn/usn-666-1",
               },
               {
                  name: "31997",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/31997",
               },
               {
                  name: "GLSA-200812-16",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "http://security.gentoo.org/glsa/glsa-200812-16.xml",
               },
               {
                  name: "32677",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/32677",
               },
               {
                  name: "32479",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/32479",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2008-10-30T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka \"invalid message address parsing bug.\"",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2017-08-07T12:57:01",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               name: "[Dovecot-news] 20081030 v1.1.6 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot-news/2008-October/000089.html",
            },
            {
               name: "33149",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/33149",
            },
            {
               name: "dovecot-mail-header-dos(46227)",
               tags: [
                  "vdb-entry",
                  "x_refsource_XF",
               ],
               url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/46227",
            },
            {
               name: "USN-666-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "http://www.ubuntu.com/usn/usn-666-1",
            },
            {
               name: "31997",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/31997",
            },
            {
               name: "GLSA-200812-16",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "http://security.gentoo.org/glsa/glsa-200812-16.xml",
            },
            {
               name: "32677",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/32677",
            },
            {
               name: "32479",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/32479",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2008-4907",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "The message parsing feature in Dovecot 1.1.4 and 1.1.5, when using the FETCH ENVELOPE command in the IMAP client, allows remote attackers to cause a denial of service (persistent crash) via an email with a malformed From address, which triggers an assertion error, aka \"invalid message address parsing bug.\"",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "[Dovecot-news] 20081030 v1.1.6 released",
                     refsource: "MLIST",
                     url: "http://www.dovecot.org/list/dovecot-news/2008-October/000089.html",
                  },
                  {
                     name: "33149",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/33149",
                  },
                  {
                     name: "dovecot-mail-header-dos(46227)",
                     refsource: "XF",
                     url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/46227",
                  },
                  {
                     name: "USN-666-1",
                     refsource: "UBUNTU",
                     url: "http://www.ubuntu.com/usn/usn-666-1",
                  },
                  {
                     name: "31997",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/31997",
                  },
                  {
                     name: "GLSA-200812-16",
                     refsource: "GENTOO",
                     url: "http://security.gentoo.org/glsa/glsa-200812-16.xml",
                  },
                  {
                     name: "32677",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/32677",
                  },
                  {
                     name: "32479",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/32479",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2008-4907",
      datePublished: "2008-11-04T00:00:00",
      dateReserved: "2008-11-03T00:00:00",
      dateUpdated: "2024-08-07T10:31:28.281Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2014-3430
Vulnerability from cvelistv5
Published
2014-05-14 19:00
Modified
2024-08-06 10:43
Severity ?
Summary
Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection.
References
http://www.openwall.com/lists/oss-security/2014/05/09/4mailing-list, x_refsource_MLIST
http://secunia.com/advisories/59051third-party-advisory, x_refsource_SECUNIA
http://www.openwall.com/lists/oss-security/2014/05/09/8mailing-list, x_refsource_MLIST
http://secunia.com/advisories/59537third-party-advisory, x_refsource_SECUNIA
http://advisories.mageia.org/MGASA-2014-0223.htmlx_refsource_CONFIRM
http://permalink.gmane.org/gmane.mail.imap.dovecot/77499mailing-list, x_refsource_MLIST
http://www.debian.org/security/2014/dsa-2954vendor-advisory, x_refsource_DEBIAN
http://secunia.com/advisories/59552third-party-advisory, x_refsource_SECUNIA
http://www.ubuntu.com/usn/USN-2213-1vendor-advisory, x_refsource_UBUNTU
http://www.securityfocus.com/bid/67306vdb-entry, x_refsource_BID
http://www.mandriva.com/security/advisories?name=MDVSA-2015:113vendor-advisory, x_refsource_MANDRIVA
http://rhn.redhat.com/errata/RHSA-2014-0790.htmlvendor-advisory, x_refsource_REDHAT
http://linux.oracle.com/errata/ELSA-2014-0790.htmlx_refsource_CONFIRM
http://dovecot.org/pipermail/dovecot-news/2014-May/000273.htmlmailing-list, x_refsource_MLIST
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-06T10:43:06.101Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "[oss-security] 20140509 CVE request: Denial of Service attacks against Dovecot v1.1+",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2014/05/09/4",
               },
               {
                  name: "59051",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/59051",
               },
               {
                  name: "[oss-security] 20140509 Re: CVE request: Denial of Service attacks against Dovecot v1.1+",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2014/05/09/8",
               },
               {
                  name: "59537",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/59537",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://advisories.mageia.org/MGASA-2014-0223.html",
               },
               {
                  name: "[dovecot] 20140508 Denial of Service attacks against Dovecot v1.1+",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://permalink.gmane.org/gmane.mail.imap.dovecot/77499",
               },
               {
                  name: "DSA-2954",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "http://www.debian.org/security/2014/dsa-2954",
               },
               {
                  name: "59552",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/59552",
               },
               {
                  name: "USN-2213-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "http://www.ubuntu.com/usn/USN-2213-1",
               },
               {
                  name: "67306",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/67306",
               },
               {
                  name: "MDVSA-2015:113",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_MANDRIVA",
                     "x_transferred",
                  ],
                  url: "http://www.mandriva.com/security/advisories?name=MDVSA-2015:113",
               },
               {
                  name: "RHSA-2014:0790",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://rhn.redhat.com/errata/RHSA-2014-0790.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://linux.oracle.com/errata/ELSA-2014-0790.html",
               },
               {
                  name: "[Dovecot-news] 20140511 v2.2.13 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://dovecot.org/pipermail/dovecot-news/2014-May/000273.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2014-05-08T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2017-12-28T19:57:01",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               name: "[oss-security] 20140509 CVE request: Denial of Service attacks against Dovecot v1.1+",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2014/05/09/4",
            },
            {
               name: "59051",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/59051",
            },
            {
               name: "[oss-security] 20140509 Re: CVE request: Denial of Service attacks against Dovecot v1.1+",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2014/05/09/8",
            },
            {
               name: "59537",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/59537",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://advisories.mageia.org/MGASA-2014-0223.html",
            },
            {
               name: "[dovecot] 20140508 Denial of Service attacks against Dovecot v1.1+",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://permalink.gmane.org/gmane.mail.imap.dovecot/77499",
            },
            {
               name: "DSA-2954",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "http://www.debian.org/security/2014/dsa-2954",
            },
            {
               name: "59552",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/59552",
            },
            {
               name: "USN-2213-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "http://www.ubuntu.com/usn/USN-2213-1",
            },
            {
               name: "67306",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/67306",
            },
            {
               name: "MDVSA-2015:113",
               tags: [
                  "vendor-advisory",
                  "x_refsource_MANDRIVA",
               ],
               url: "http://www.mandriva.com/security/advisories?name=MDVSA-2015:113",
            },
            {
               name: "RHSA-2014:0790",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://rhn.redhat.com/errata/RHSA-2014-0790.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://linux.oracle.com/errata/ELSA-2014-0790.html",
            },
            {
               name: "[Dovecot-news] 20140511 v2.2.13 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://dovecot.org/pipermail/dovecot-news/2014-May/000273.html",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2014-3430",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "[oss-security] 20140509 CVE request: Denial of Service attacks against Dovecot v1.1+",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2014/05/09/4",
                  },
                  {
                     name: "59051",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/59051",
                  },
                  {
                     name: "[oss-security] 20140509 Re: CVE request: Denial of Service attacks against Dovecot v1.1+",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2014/05/09/8",
                  },
                  {
                     name: "59537",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/59537",
                  },
                  {
                     name: "http://advisories.mageia.org/MGASA-2014-0223.html",
                     refsource: "CONFIRM",
                     url: "http://advisories.mageia.org/MGASA-2014-0223.html",
                  },
                  {
                     name: "[dovecot] 20140508 Denial of Service attacks against Dovecot v1.1+",
                     refsource: "MLIST",
                     url: "http://permalink.gmane.org/gmane.mail.imap.dovecot/77499",
                  },
                  {
                     name: "DSA-2954",
                     refsource: "DEBIAN",
                     url: "http://www.debian.org/security/2014/dsa-2954",
                  },
                  {
                     name: "59552",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/59552",
                  },
                  {
                     name: "USN-2213-1",
                     refsource: "UBUNTU",
                     url: "http://www.ubuntu.com/usn/USN-2213-1",
                  },
                  {
                     name: "67306",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/67306",
                  },
                  {
                     name: "MDVSA-2015:113",
                     refsource: "MANDRIVA",
                     url: "http://www.mandriva.com/security/advisories?name=MDVSA-2015:113",
                  },
                  {
                     name: "RHSA-2014:0790",
                     refsource: "REDHAT",
                     url: "http://rhn.redhat.com/errata/RHSA-2014-0790.html",
                  },
                  {
                     name: "http://linux.oracle.com/errata/ELSA-2014-0790.html",
                     refsource: "CONFIRM",
                     url: "http://linux.oracle.com/errata/ELSA-2014-0790.html",
                  },
                  {
                     name: "[Dovecot-news] 20140511 v2.2.13 released",
                     refsource: "MLIST",
                     url: "http://dovecot.org/pipermail/dovecot-news/2014-May/000273.html",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2014-3430",
      datePublished: "2014-05-14T19:00:00",
      dateReserved: "2014-05-07T00:00:00",
      dateUpdated: "2024-08-06T10:43:06.101Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2021-33515
Vulnerability from cvelistv5
Published
2021-06-28 12:04
Modified
2024-08-03 23:50
Severity ?
Summary
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T23:50:42.988Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/security",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://www.openwall.com/lists/oss-security/2021/06/28/2",
               },
               {
                  name: "FEDORA-2021-208340a217",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/",
               },
               {
                  name: "FEDORA-2021-891c1ab1ac",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/",
               },
               {
                  name: "GLSA-202107-41",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202107-41",
               },
               {
                  name: "[debian-lts-announce] 20220927 [SECURITY] [DLA 3122-1] dovecot security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-09-27T05:06:17",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://dovecot.org/security",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://www.openwall.com/lists/oss-security/2021/06/28/2",
            },
            {
               name: "FEDORA-2021-208340a217",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/",
            },
            {
               name: "FEDORA-2021-891c1ab1ac",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/",
            },
            {
               name: "GLSA-202107-41",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "https://security.gentoo.org/glsa/202107-41",
            },
            {
               name: "[debian-lts-announce] 20220927 [SECURITY] [DLA 3122-1] dovecot security update",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2021-33515",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://dovecot.org/security",
                     refsource: "MISC",
                     url: "https://dovecot.org/security",
                  },
                  {
                     name: "https://www.openwall.com/lists/oss-security/2021/06/28/2",
                     refsource: "CONFIRM",
                     url: "https://www.openwall.com/lists/oss-security/2021/06/28/2",
                  },
                  {
                     name: "FEDORA-2021-208340a217",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/",
                  },
                  {
                     name: "FEDORA-2021-891c1ab1ac",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/",
                  },
                  {
                     name: "GLSA-202107-41",
                     refsource: "GENTOO",
                     url: "https://security.gentoo.org/glsa/202107-41",
                  },
                  {
                     name: "[debian-lts-announce] 20220927 [SECURITY] [DLA 3122-1] dovecot security update",
                     refsource: "MLIST",
                     url: "https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2021-33515",
      datePublished: "2021-06-28T12:04:59",
      dateReserved: "2021-05-24T00:00:00",
      dateUpdated: "2024-08-03T23:50:42.988Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2009-3235
Vulnerability from cvelistv5
Published
2009-09-17 10:00
Modified
2024-08-07 06:22
Severity ?
Summary
Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SIEVE script, as demonstrated by forwarding an e-mail message to a large number of recipients, a different vulnerability than CVE-2009-2632.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T06:22:23.176Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "36377",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/36377",
               },
               {
                  name: "cmu-sieve-dovecot-unspecified-bo(53248)",
                  tags: [
                     "vdb-entry",
                     "x_refsource_XF",
                     "x_transferred",
                  ],
                  url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/53248",
               },
               {
                  name: "36713",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/36713",
               },
               {
                  name: "SUSE-SR:2009:018",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html",
               },
               {
                  name: "[Dovecot-news] 20090914 Security holes in CMU Sieve plugin",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://dovecot.org/list/dovecot-news/2009-September/000135.html",
               },
               {
                  name: "USN-838-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "http://www.ubuntu.com/usn/USN-838-1",
               },
               {
                  name: "58103",
                  tags: [
                     "vdb-entry",
                     "x_refsource_OSVDB",
                     "x_transferred",
                  ],
                  url: "http://www.osvdb.org/58103",
               },
               {
                  name: "oval:org.mitre.oval:def:10515",
                  tags: [
                     "vdb-entry",
                     "signature",
                     "x_refsource_OVAL",
                     "x_transferred",
                  ],
                  url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10515",
               },
               {
                  name: "ADV-2009-3184",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2009/3184",
               },
               {
                  name: "SUSE-SR:2009:016",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html",
               },
               {
                  name: "36904",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/36904",
               },
               {
                  name: "36698",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/36698",
               },
               {
                  name: "ADV-2009-2641",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2009/2641",
               },
               {
                  name: "APPLE-SA-2009-11-09-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_APPLE",
                     "x_transferred",
                  ],
                  url: "http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html",
               },
               {
                  name: "FEDORA-2009-9559",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00491.html",
               },
               {
                  name: "[oss-security] 20090914 Re: CVE for recent cyrus-imap issue",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2009/09/14/3",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://support.apple.com/kb/HT3937",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2009-09-14T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SIEVE script, as demonstrated by forwarding an e-mail message to a large number of recipients, a different vulnerability than CVE-2009-2632.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2017-09-18T12:57:01",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               name: "36377",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/36377",
            },
            {
               name: "cmu-sieve-dovecot-unspecified-bo(53248)",
               tags: [
                  "vdb-entry",
                  "x_refsource_XF",
               ],
               url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/53248",
            },
            {
               name: "36713",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/36713",
            },
            {
               name: "SUSE-SR:2009:018",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html",
            },
            {
               name: "[Dovecot-news] 20090914 Security holes in CMU Sieve plugin",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://dovecot.org/list/dovecot-news/2009-September/000135.html",
            },
            {
               name: "USN-838-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "http://www.ubuntu.com/usn/USN-838-1",
            },
            {
               name: "58103",
               tags: [
                  "vdb-entry",
                  "x_refsource_OSVDB",
               ],
               url: "http://www.osvdb.org/58103",
            },
            {
               name: "oval:org.mitre.oval:def:10515",
               tags: [
                  "vdb-entry",
                  "signature",
                  "x_refsource_OVAL",
               ],
               url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10515",
            },
            {
               name: "ADV-2009-3184",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2009/3184",
            },
            {
               name: "SUSE-SR:2009:016",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html",
            },
            {
               name: "36904",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/36904",
            },
            {
               name: "36698",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/36698",
            },
            {
               name: "ADV-2009-2641",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2009/2641",
            },
            {
               name: "APPLE-SA-2009-11-09-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_APPLE",
               ],
               url: "http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html",
            },
            {
               name: "FEDORA-2009-9559",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00491.html",
            },
            {
               name: "[oss-security] 20090914 Re: CVE for recent cyrus-imap issue",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2009/09/14/3",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://support.apple.com/kb/HT3937",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2009-3235",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SIEVE script, as demonstrated by forwarding an e-mail message to a large number of recipients, a different vulnerability than CVE-2009-2632.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "36377",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/36377",
                  },
                  {
                     name: "cmu-sieve-dovecot-unspecified-bo(53248)",
                     refsource: "XF",
                     url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/53248",
                  },
                  {
                     name: "36713",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/36713",
                  },
                  {
                     name: "SUSE-SR:2009:018",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html",
                  },
                  {
                     name: "[Dovecot-news] 20090914 Security holes in CMU Sieve plugin",
                     refsource: "MLIST",
                     url: "http://dovecot.org/list/dovecot-news/2009-September/000135.html",
                  },
                  {
                     name: "USN-838-1",
                     refsource: "UBUNTU",
                     url: "http://www.ubuntu.com/usn/USN-838-1",
                  },
                  {
                     name: "58103",
                     refsource: "OSVDB",
                     url: "http://www.osvdb.org/58103",
                  },
                  {
                     name: "oval:org.mitre.oval:def:10515",
                     refsource: "OVAL",
                     url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10515",
                  },
                  {
                     name: "ADV-2009-3184",
                     refsource: "VUPEN",
                     url: "http://www.vupen.com/english/advisories/2009/3184",
                  },
                  {
                     name: "SUSE-SR:2009:016",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html",
                  },
                  {
                     name: "36904",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/36904",
                  },
                  {
                     name: "36698",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/36698",
                  },
                  {
                     name: "ADV-2009-2641",
                     refsource: "VUPEN",
                     url: "http://www.vupen.com/english/advisories/2009/2641",
                  },
                  {
                     name: "APPLE-SA-2009-11-09-1",
                     refsource: "APPLE",
                     url: "http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html",
                  },
                  {
                     name: "FEDORA-2009-9559",
                     refsource: "FEDORA",
                     url: "https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00491.html",
                  },
                  {
                     name: "[oss-security] 20090914 Re: CVE for recent cyrus-imap issue",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2009/09/14/3",
                  },
                  {
                     name: "http://support.apple.com/kb/HT3937",
                     refsource: "CONFIRM",
                     url: "http://support.apple.com/kb/HT3937",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2009-3235",
      datePublished: "2009-09-17T10:00:00",
      dateReserved: "2009-09-16T00:00:00",
      dateUpdated: "2024-08-07T06:22:23.176Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2019-11499
Vulnerability from cvelistv5
Published
2019-05-08 17:00
Modified
2024-08-04 22:55
Severity ?
Summary
In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T22:55:40.396Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.dovecot.org/security.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.dovecot.org/download.html",
               },
               {
                  name: "FEDORA-2019-9e004decea",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/",
               },
               {
                  name: "FEDORA-2019-1b61a528dd",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/",
               },
               {
                  name: "openSUSE-SU-2019:2281",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html",
               },
               {
                  name: "openSUSE-SU-2019:2278",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2019-10-07T20:06:11",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.dovecot.org/security.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.dovecot.org/download.html",
            },
            {
               name: "FEDORA-2019-9e004decea",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/",
            },
            {
               name: "FEDORA-2019-1b61a528dd",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/",
            },
            {
               name: "openSUSE-SU-2019:2281",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html",
            },
            {
               name: "openSUSE-SU-2019:2278",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html",
            },
         ],
         source: {
            discovery: "INTERNAL",
         },
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2019-11499",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://www.dovecot.org/security.html",
                     refsource: "MISC",
                     url: "https://www.dovecot.org/security.html",
                  },
                  {
                     name: "https://www.dovecot.org/download.html",
                     refsource: "MISC",
                     url: "https://www.dovecot.org/download.html",
                  },
                  {
                     name: "FEDORA-2019-9e004decea",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/",
                  },
                  {
                     name: "FEDORA-2019-1b61a528dd",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/",
                  },
                  {
                     name: "openSUSE-SU-2019:2281",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html",
                  },
                  {
                     name: "openSUSE-SU-2019:2278",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html",
                  },
               ],
            },
            source: {
               discovery: "INTERNAL",
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2019-11499",
      datePublished: "2019-05-08T17:00:15",
      dateReserved: "2019-04-24T00:00:00",
      dateUpdated: "2024-08-04T22:55:40.396Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-28200
Vulnerability from cvelistv5
Published
2021-06-28 12:08
Modified
2024-08-04 16:33
Summary
The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T16:33:58.153Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/security",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://www.openwall.com/lists/oss-security/2021/06/28/3",
               },
               {
                  name: "FEDORA-2021-208340a217",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/",
               },
               {
                  name: "FEDORA-2021-891c1ab1ac",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 4.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AC:L/AV:N/A:L/C:N/I:N/PR:L/S:U/UI:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2021-07-05T02:06:26",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://dovecot.org/security",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://www.openwall.com/lists/oss-security/2021/06/28/3",
            },
            {
               name: "FEDORA-2021-208340a217",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/",
            },
            {
               name: "FEDORA-2021-891c1ab1ac",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2020-28200",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AC:L/AV:N/A:L/C:N/I:N/PR:L/S:U/UI:N",
                  version: "3.1",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://dovecot.org/security",
                     refsource: "MISC",
                     url: "https://dovecot.org/security",
                  },
                  {
                     name: "https://www.openwall.com/lists/oss-security/2021/06/28/3",
                     refsource: "CONFIRM",
                     url: "https://www.openwall.com/lists/oss-security/2021/06/28/3",
                  },
                  {
                     name: "FEDORA-2021-208340a217",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/",
                  },
                  {
                     name: "FEDORA-2021-891c1ab1ac",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2020-28200",
      datePublished: "2021-06-28T12:08:46",
      dateReserved: "2020-11-04T00:00:00",
      dateUpdated: "2024-08-04T16:33:58.153Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-25275
Vulnerability from cvelistv5
Published
2021-01-04 16:19
Modified
2024-08-04 15:33
Severity ?
Summary
Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T15:33:05.386Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/security",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2021/01/04/3",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html",
               },
               {
                  name: "DSA-4825",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2021/dsa-4825",
               },
               {
                  name: "20210106 CVE-2020-24386: IMAP hibernation allows accessing other peoples mail",
                  tags: [
                     "mailing-list",
                     "x_refsource_FULLDISC",
                     "x_transferred",
                  ],
                  url: "http://seclists.org/fulldisclosure/2021/Jan/18",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://packetstormsecurity.com/files/160841/Dovecot-2.3.11.3-Denial-Of-Service.html",
               },
               {
                  name: "GLSA-202101-01",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202101-01",
               },
               {
                  name: "FEDORA-2021-c90cb486f7",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2021-01-20T02:06:07",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://dovecot.org/security",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://www.openwall.com/lists/oss-security/2021/01/04/3",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html",
            },
            {
               name: "DSA-4825",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "https://www.debian.org/security/2021/dsa-4825",
            },
            {
               name: "20210106 CVE-2020-24386: IMAP hibernation allows accessing other peoples mail",
               tags: [
                  "mailing-list",
                  "x_refsource_FULLDISC",
               ],
               url: "http://seclists.org/fulldisclosure/2021/Jan/18",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://packetstormsecurity.com/files/160841/Dovecot-2.3.11.3-Denial-Of-Service.html",
            },
            {
               name: "GLSA-202101-01",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "https://security.gentoo.org/glsa/202101-01",
            },
            {
               name: "FEDORA-2021-c90cb486f7",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2020-25275",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://dovecot.org/security",
                     refsource: "MISC",
                     url: "https://dovecot.org/security",
                  },
                  {
                     name: "http://www.openwall.com/lists/oss-security/2021/01/04/3",
                     refsource: "CONFIRM",
                     url: "http://www.openwall.com/lists/oss-security/2021/01/04/3",
                  },
                  {
                     name: "https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html",
                     refsource: "CONFIRM",
                     url: "https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html",
                  },
                  {
                     name: "DSA-4825",
                     refsource: "DEBIAN",
                     url: "https://www.debian.org/security/2021/dsa-4825",
                  },
                  {
                     name: "20210106 CVE-2020-24386: IMAP hibernation allows accessing other peoples mail",
                     refsource: "FULLDISC",
                     url: "http://seclists.org/fulldisclosure/2021/Jan/18",
                  },
                  {
                     name: "http://packetstormsecurity.com/files/160841/Dovecot-2.3.11.3-Denial-Of-Service.html",
                     refsource: "MISC",
                     url: "http://packetstormsecurity.com/files/160841/Dovecot-2.3.11.3-Denial-Of-Service.html",
                  },
                  {
                     name: "GLSA-202101-01",
                     refsource: "GENTOO",
                     url: "https://security.gentoo.org/glsa/202101-01",
                  },
                  {
                     name: "FEDORA-2021-c90cb486f7",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2020-25275",
      datePublished: "2021-01-04T16:19:08",
      dateReserved: "2020-09-11T00:00:00",
      dateUpdated: "2024-08-04T15:33:05.386Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2008-5301
Vulnerability from cvelistv5
Published
2008-12-01 17:00
Modified
2024-08-07 10:49
Severity ?
Summary
Directory traversal vulnerability in the ManageSieve implementation in Dovecot 1.0.15, 1.1, and 1.2 allows remote attackers to read and modify arbitrary .sieve files via a ".." (dot dot) in a script name.
References
https://exchange.xforce.ibmcloud.com/vulnerabilities/46672vdb-entry, x_refsource_XF
http://www.vupen.com/english/advisories/2008/3190vdb-entry, x_refsource_VUPEN
http://www.ubuntu.com/usn/USN-838-1vendor-advisory, x_refsource_UBUNTU
http://www.dovecot.org/list/dovecot/2008-November/035259.htmlmailing-list, x_refsource_MLIST
http://secunia.com/advisories/32768third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/36904third-party-advisory, x_refsource_SECUNIA
http://www.securityfocus.com/bid/32582vdb-entry, x_refsource_BID
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T10:49:12.314Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "managesieve-sieve-directory-traversal(46672)",
                  tags: [
                     "vdb-entry",
                     "x_refsource_XF",
                     "x_transferred",
                  ],
                  url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/46672",
               },
               {
                  name: "ADV-2008-3190",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2008/3190",
               },
               {
                  name: "USN-838-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "http://www.ubuntu.com/usn/USN-838-1",
               },
               {
                  name: "[Dovecot] 20081117 ManageSieve SECURITY hole: virtual users can edit scripts of other virtual users (all versions)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot/2008-November/035259.html",
               },
               {
                  name: "32768",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/32768",
               },
               {
                  name: "36904",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/36904",
               },
               {
                  name: "32582",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/32582",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2008-11-17T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "Directory traversal vulnerability in the ManageSieve implementation in Dovecot 1.0.15, 1.1, and 1.2 allows remote attackers to read and modify arbitrary .sieve files via a \"..\" (dot dot) in a script name.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2017-08-07T12:57:01",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               name: "managesieve-sieve-directory-traversal(46672)",
               tags: [
                  "vdb-entry",
                  "x_refsource_XF",
               ],
               url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/46672",
            },
            {
               name: "ADV-2008-3190",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2008/3190",
            },
            {
               name: "USN-838-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "http://www.ubuntu.com/usn/USN-838-1",
            },
            {
               name: "[Dovecot] 20081117 ManageSieve SECURITY hole: virtual users can edit scripts of other virtual users (all versions)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot/2008-November/035259.html",
            },
            {
               name: "32768",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/32768",
            },
            {
               name: "36904",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/36904",
            },
            {
               name: "32582",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/32582",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2008-5301",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Directory traversal vulnerability in the ManageSieve implementation in Dovecot 1.0.15, 1.1, and 1.2 allows remote attackers to read and modify arbitrary .sieve files via a \"..\" (dot dot) in a script name.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "managesieve-sieve-directory-traversal(46672)",
                     refsource: "XF",
                     url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/46672",
                  },
                  {
                     name: "ADV-2008-3190",
                     refsource: "VUPEN",
                     url: "http://www.vupen.com/english/advisories/2008/3190",
                  },
                  {
                     name: "USN-838-1",
                     refsource: "UBUNTU",
                     url: "http://www.ubuntu.com/usn/USN-838-1",
                  },
                  {
                     name: "[Dovecot] 20081117 ManageSieve SECURITY hole: virtual users can edit scripts of other virtual users (all versions)",
                     refsource: "MLIST",
                     url: "http://www.dovecot.org/list/dovecot/2008-November/035259.html",
                  },
                  {
                     name: "32768",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/32768",
                  },
                  {
                     name: "36904",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/36904",
                  },
                  {
                     name: "32582",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/32582",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2008-5301",
      datePublished: "2008-12-01T17:00:00",
      dateReserved: "2008-12-01T00:00:00",
      dateUpdated: "2024-08-07T10:49:12.314Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2015-3420
Vulnerability from cvelistv5
Published
2017-09-19 15:00
Modified
2024-08-06 05:47
Severity ?
Summary
The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service (login process crash) via vectors related to handshake failures.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-06T05:47:57.729Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "[oss-security] 20150428 Re: Re: CVE request: Dovecot remote DoS on TLS connections",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2015/04/28/4",
               },
               {
                  name: "[dovecot] 20150424 [patch] TLS Handshake failures can crash imap-login",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/pipermail/dovecot/2015-April/100618.html",
               },
               {
                  name: "[dovecot-news] 20150513 [Dovecot-news] v2.2.17 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/pipermail/dovecot-news/2015-May/000292.html",
               },
               {
                  name: "FEDORA-2015-7159",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158261.html",
               },
               {
                  name: "FEDORA-2015-7156",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157030.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://bugzilla.redhat.com/show_bug.cgi?id=1216057",
               },
               {
                  name: "FEDORA-2015-7089",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158236.html",
               },
               {
                  name: "[oss-security] 20150427 Re: CVE request: Dovecot remote DoS on TLS connections",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2015/04/27/1",
               },
               {
                  name: "74335",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/74335",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2015-04-24T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service (login process crash) via vectors related to handshake failures.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2017-09-19T14:57:01",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               name: "[oss-security] 20150428 Re: Re: CVE request: Dovecot remote DoS on TLS connections",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2015/04/28/4",
            },
            {
               name: "[dovecot] 20150424 [patch] TLS Handshake failures can crash imap-login",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://dovecot.org/pipermail/dovecot/2015-April/100618.html",
            },
            {
               name: "[dovecot-news] 20150513 [Dovecot-news] v2.2.17 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://dovecot.org/pipermail/dovecot-news/2015-May/000292.html",
            },
            {
               name: "FEDORA-2015-7159",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158261.html",
            },
            {
               name: "FEDORA-2015-7156",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157030.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1216057",
            },
            {
               name: "FEDORA-2015-7089",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158236.html",
            },
            {
               name: "[oss-security] 20150427 Re: CVE request: Dovecot remote DoS on TLS connections",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2015/04/27/1",
            },
            {
               name: "74335",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/74335",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2015-3420",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service (login process crash) via vectors related to handshake failures.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "[oss-security] 20150428 Re: Re: CVE request: Dovecot remote DoS on TLS connections",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2015/04/28/4",
                  },
                  {
                     name: "[dovecot] 20150424 [patch] TLS Handshake failures can crash imap-login",
                     refsource: "MLIST",
                     url: "https://dovecot.org/pipermail/dovecot/2015-April/100618.html",
                  },
                  {
                     name: "[dovecot-news] 20150513 [Dovecot-news] v2.2.17 released",
                     refsource: "MLIST",
                     url: "https://dovecot.org/pipermail/dovecot-news/2015-May/000292.html",
                  },
                  {
                     name: "FEDORA-2015-7159",
                     refsource: "FEDORA",
                     url: "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158261.html",
                  },
                  {
                     name: "FEDORA-2015-7156",
                     refsource: "FEDORA",
                     url: "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157030.html",
                  },
                  {
                     name: "https://bugzilla.redhat.com/show_bug.cgi?id=1216057",
                     refsource: "CONFIRM",
                     url: "https://bugzilla.redhat.com/show_bug.cgi?id=1216057",
                  },
                  {
                     name: "FEDORA-2015-7089",
                     refsource: "FEDORA",
                     url: "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158236.html",
                  },
                  {
                     name: "[oss-security] 20150427 Re: CVE request: Dovecot remote DoS on TLS connections",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2015/04/27/1",
                  },
                  {
                     name: "74335",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/74335",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2015-3420",
      datePublished: "2017-09-19T15:00:00",
      dateReserved: "2015-04-27T00:00:00",
      dateUpdated: "2024-08-06T05:47:57.729Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-24386
Vulnerability from cvelistv5
Published
2021-01-04 16:25
Modified
2024-08-04 15:12
Severity ?
Summary
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T15:12:08.740Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/security",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2021/01/04/4",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://doc.dovecot.org/configuration_manual/hibernation/",
               },
               {
                  name: "DSA-4825",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2021/dsa-4825",
               },
               {
                  name: "20210106 CVE-2020-24386: IMAP hibernation allows accessing other peoples mail",
                  tags: [
                     "mailing-list",
                     "x_refsource_FULLDISC",
                     "x_transferred",
                  ],
                  url: "http://seclists.org/fulldisclosure/2021/Jan/18",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://packetstormsecurity.com/files/160842/Dovecot-2.3.11.3-Access-Bypass.html",
               },
               {
                  name: "GLSA-202101-01",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202101-01",
               },
               {
                  name: "FEDORA-2021-c90cb486f7",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2021-01-20T02:06:06",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://dovecot.org/security",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://www.openwall.com/lists/oss-security/2021/01/04/4",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://doc.dovecot.org/configuration_manual/hibernation/",
            },
            {
               name: "DSA-4825",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "https://www.debian.org/security/2021/dsa-4825",
            },
            {
               name: "20210106 CVE-2020-24386: IMAP hibernation allows accessing other peoples mail",
               tags: [
                  "mailing-list",
                  "x_refsource_FULLDISC",
               ],
               url: "http://seclists.org/fulldisclosure/2021/Jan/18",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://packetstormsecurity.com/files/160842/Dovecot-2.3.11.3-Access-Bypass.html",
            },
            {
               name: "GLSA-202101-01",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "https://security.gentoo.org/glsa/202101-01",
            },
            {
               name: "FEDORA-2021-c90cb486f7",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/",
            },
         ],
         x_ConverterErrors: {
            cvssV3_1: {
               error: "CVSSV3_1 data from v4 record is invalid",
               message: "Missing mandatory metrics \"AV\"",
            },
         },
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2020-24386",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "HIGH",
                  availabilityImpact: "NONE",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AC:H/A:N/C:H/I:H/PR:L/S:C/UI:N",
                  version: "3.1",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://dovecot.org/security",
                     refsource: "MISC",
                     url: "https://dovecot.org/security",
                  },
                  {
                     name: "http://www.openwall.com/lists/oss-security/2021/01/04/4",
                     refsource: "CONFIRM",
                     url: "http://www.openwall.com/lists/oss-security/2021/01/04/4",
                  },
                  {
                     name: "https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html",
                     refsource: "CONFIRM",
                     url: "https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html",
                  },
                  {
                     name: "https://doc.dovecot.org/configuration_manual/hibernation/",
                     refsource: "MISC",
                     url: "https://doc.dovecot.org/configuration_manual/hibernation/",
                  },
                  {
                     name: "DSA-4825",
                     refsource: "DEBIAN",
                     url: "https://www.debian.org/security/2021/dsa-4825",
                  },
                  {
                     name: "20210106 CVE-2020-24386: IMAP hibernation allows accessing other peoples mail",
                     refsource: "FULLDISC",
                     url: "http://seclists.org/fulldisclosure/2021/Jan/18",
                  },
                  {
                     name: "http://packetstormsecurity.com/files/160842/Dovecot-2.3.11.3-Access-Bypass.html",
                     refsource: "MISC",
                     url: "http://packetstormsecurity.com/files/160842/Dovecot-2.3.11.3-Access-Bypass.html",
                  },
                  {
                     name: "GLSA-202101-01",
                     refsource: "GENTOO",
                     url: "https://security.gentoo.org/glsa/202101-01",
                  },
                  {
                     name: "FEDORA-2021-c90cb486f7",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2020-24386",
      datePublished: "2021-01-04T16:25:43",
      dateReserved: "2020-08-19T00:00:00",
      dateUpdated: "2024-08-04T15:12:08.740Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2017-15132
Vulnerability from cvelistv5
Published
2018-01-25 20:00
Modified
2024-09-17 00:36
Severity ?
Summary
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T19:50:16.152Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch",
               },
               {
                  name: "[debian-lts-announce] 20180331 [SECURITY] [DLA 1333-1] dovecot security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://bugzilla.redhat.com/show_bug.cgi?id=1532768",
               },
               {
                  name: "DSA-4130",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2018/dsa-4130",
               },
               {
                  name: "USN-3556-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/3556-1/",
               },
               {
                  name: "USN-3556-2",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/3556-2/",
               },
               {
                  name: "[dovecot-news] 20180228 v2.2.34 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "dovecot",
               vendor: "The Dovecot Project",
               versions: [
                  {
                     status: "affected",
                     version: "2.0 up to 2.2.33 and 2.3.0",
                  },
               ],
            },
         ],
         datePublic: "2018-01-25T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-400",
                     description: "CWE-400",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2018-04-01T09:57:02",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch",
            },
            {
               name: "[debian-lts-announce] 20180331 [SECURITY] [DLA 1333-1] dovecot security update",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1532768",
            },
            {
               name: "DSA-4130",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "https://www.debian.org/security/2018/dsa-4130",
            },
            {
               name: "USN-3556-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/3556-1/",
            },
            {
               name: "USN-3556-2",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/3556-2/",
            },
            {
               name: "[dovecot-news] 20180228 v2.2.34 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "secalert@redhat.com",
               DATE_PUBLIC: "2018-01-25T00:00:00",
               ID: "CVE-2017-15132",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "dovecot",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "2.0 up to 2.2.33 and 2.3.0",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "The Dovecot Project",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-400",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch",
                     refsource: "CONFIRM",
                     url: "https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch",
                  },
                  {
                     name: "[debian-lts-announce] 20180331 [SECURITY] [DLA 1333-1] dovecot security update",
                     refsource: "MLIST",
                     url: "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html",
                  },
                  {
                     name: "https://bugzilla.redhat.com/show_bug.cgi?id=1532768",
                     refsource: "CONFIRM",
                     url: "https://bugzilla.redhat.com/show_bug.cgi?id=1532768",
                  },
                  {
                     name: "DSA-4130",
                     refsource: "DEBIAN",
                     url: "https://www.debian.org/security/2018/dsa-4130",
                  },
                  {
                     name: "USN-3556-1",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/3556-1/",
                  },
                  {
                     name: "USN-3556-2",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/3556-2/",
                  },
                  {
                     name: "[dovecot-news] 20180228 v2.2.34 released",
                     refsource: "MLIST",
                     url: "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2017-15132",
      datePublished: "2018-01-25T20:00:00Z",
      dateReserved: "2017-10-08T00:00:00",
      dateUpdated: "2024-09-17T00:36:33.953Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2013-2111
Vulnerability from cvelistv5
Published
2014-05-27 15:00
Modified
2024-08-06 15:27
Severity ?
Summary
The IMAP functionality in Dovecot before 2.2.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via invalid APPEND parameters.
References
http://secunia.com/advisories/53492third-party-advisory, x_refsource_SECUNIA
http://www.securitytracker.com/id/1028585vdb-entry, x_refsource_SECTRACK
http://www.openwall.com/lists/oss-security/2013/05/24/1mailing-list, x_refsource_MLIST
http://www.dovecot.org/list/dovecot-news/2013-May/000255.htmlmailing-list, x_refsource_MLIST
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-06T15:27:40.826Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "53492",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/53492",
               },
               {
                  name: "1028585",
                  tags: [
                     "vdb-entry",
                     "x_refsource_SECTRACK",
                     "x_transferred",
                  ],
                  url: "http://www.securitytracker.com/id/1028585",
               },
               {
                  name: "[oss-security] 20130524 Re: CVE request: dovecot : \"APPEND\" Parameters Processing  Denial of Service Vulnerability",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2013/05/24/1",
               },
               {
                  name: "[Dovecot-news] 20130520 v2.2.2 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot-news/2013-May/000255.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2013-05-20T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "The IMAP functionality in Dovecot before 2.2.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via invalid APPEND parameters.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2014-05-27T14:57:00",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               name: "53492",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/53492",
            },
            {
               name: "1028585",
               tags: [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
               ],
               url: "http://www.securitytracker.com/id/1028585",
            },
            {
               name: "[oss-security] 20130524 Re: CVE request: dovecot : \"APPEND\" Parameters Processing  Denial of Service Vulnerability",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2013/05/24/1",
            },
            {
               name: "[Dovecot-news] 20130520 v2.2.2 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot-news/2013-May/000255.html",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "secalert@redhat.com",
               ID: "CVE-2013-2111",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "The IMAP functionality in Dovecot before 2.2.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via invalid APPEND parameters.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "53492",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/53492",
                  },
                  {
                     name: "1028585",
                     refsource: "SECTRACK",
                     url: "http://www.securitytracker.com/id/1028585",
                  },
                  {
                     name: "[oss-security] 20130524 Re: CVE request: dovecot : \"APPEND\" Parameters Processing  Denial of Service Vulnerability",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2013/05/24/1",
                  },
                  {
                     name: "[Dovecot-news] 20130520 v2.2.2 released",
                     refsource: "MLIST",
                     url: "http://www.dovecot.org/list/dovecot-news/2013-May/000255.html",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2013-2111",
      datePublished: "2014-05-27T15:00:00",
      dateReserved: "2013-02-19T00:00:00",
      dateUpdated: "2024-08-06T15:27:40.826Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-30550
Vulnerability from cvelistv5
Published
2022-07-17 00:00
Modified
2024-10-15 18:35
Summary
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T06:48:36.356Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/security",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.dovecot.org/download/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.openwall.com/lists/oss-security/2022/07/08/1",
               },
               {
                  name: "[debian-lts-announce] 20220927 [SECURITY] [DLA 3122-1] dovecot security update",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html",
               },
               {
                  name: "GLSA-202310-19",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202310-19",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  cvssV3_1: {
                     attackComplexity: "LOW",
                     attackVector: "NETWORK",
                     availabilityImpact: "HIGH",
                     baseScore: 8.8,
                     baseSeverity: "HIGH",
                     confidentialityImpact: "HIGH",
                     integrityImpact: "HIGH",
                     privilegesRequired: "LOW",
                     scope: "UNCHANGED",
                     userInteraction: "NONE",
                     vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                     version: "3.1",
                  },
               },
               {
                  other: {
                     content: {
                        id: "CVE-2022-30550",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-10-15T17:16:02.736424Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            problemTypes: [
               {
                  descriptions: [
                     {
                        description: "CWE-noinfo Not enough information",
                        lang: "en",
                        type: "CWE",
                     },
                  ],
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-10-15T18:35:00.129Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-10-30T11:06:19.441543",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               url: "https://dovecot.org/security",
            },
            {
               url: "https://www.dovecot.org/download/",
            },
            {
               url: "https://www.openwall.com/lists/oss-security/2022/07/08/1",
            },
            {
               name: "[debian-lts-announce] 20220927 [SECURITY] [DLA 3122-1] dovecot security update",
               tags: [
                  "mailing-list",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html",
            },
            {
               name: "GLSA-202310-19",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://security.gentoo.org/glsa/202310-19",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2022-30550",
      datePublished: "2022-07-17T00:00:00",
      dateReserved: "2022-05-11T00:00:00",
      dateUpdated: "2024-10-15T18:35:00.129Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2008-1218
Vulnerability from cvelistv5
Published
2008-03-10 23:00
Modified
2024-08-07 08:17
Severity ?
Summary
Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass the password check via a password containing TAB characters, which are treated as argument delimiters that enable the skip_password_check field to be specified.
References
http://security.gentoo.org/glsa/glsa-200803-25.xmlvendor-advisory, x_refsource_GENTOO
http://secunia.com/advisories/29295third-party-advisory, x_refsource_SECUNIA
https://exchange.xforce.ibmcloud.com/vulnerabilities/41085vdb-entry, x_refsource_XF
https://www.exploit-db.com/exploits/5257exploit, x_refsource_EXPLOIT-DB
http://secunia.com/advisories/29557third-party-advisory, x_refsource_SECUNIA
http://www.debian.org/security/2008/dsa-1516vendor-advisory, x_refsource_DEBIAN
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108x_refsource_MISC
https://usn.ubuntu.com/593-1/vendor-advisory, x_refsource_UBUNTU
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.htmlvendor-advisory, x_refsource_FEDORA
http://secunia.com/advisories/29364third-party-advisory, x_refsource_SECUNIA
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.htmlvendor-advisory, x_refsource_SUSE
https://issues.rpath.com/browse/RPL-2341x_refsource_CONFIRM
http://www.dovecot.org/list/dovecot-news/2008-March/000064.htmlmailing-list, x_refsource_MLIST
http://www.dovecot.org/list/dovecot-news/2008-March/000065.htmlmailing-list, x_refsource_MLIST
http://secunia.com/advisories/29226third-party-advisory, x_refsource_SECUNIA
http://www.securityfocus.com/archive/1/489481/100/0/threadedmailing-list, x_refsource_BUGTRAQ
http://secunia.com/advisories/32151third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/29385third-party-advisory, x_refsource_SECUNIA
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.htmlvendor-advisory, x_refsource_FEDORA
http://www.securityfocus.com/bid/28181vdb-entry, x_refsource_BID
http://secunia.com/advisories/29396third-party-advisory, x_refsource_SECUNIA
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T08:17:34.499Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "GLSA-200803-25",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "http://security.gentoo.org/glsa/glsa-200803-25.xml",
               },
               {
                  name: "29295",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/29295",
               },
               {
                  name: "dovecot-tab-authentication-bypass(41085)",
                  tags: [
                     "vdb-entry",
                     "x_refsource_XF",
                     "x_transferred",
                  ],
                  url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/41085",
               },
               {
                  name: "5257",
                  tags: [
                     "exploit",
                     "x_refsource_EXPLOIT-DB",
                     "x_transferred",
                  ],
                  url: "https://www.exploit-db.com/exploits/5257",
               },
               {
                  name: "29557",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/29557",
               },
               {
                  name: "DSA-1516",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "http://www.debian.org/security/2008/dsa-1516",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108",
               },
               {
                  name: "USN-593-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/593-1/",
               },
               {
                  name: "FEDORA-2008-2475",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html",
               },
               {
                  name: "29364",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/29364",
               },
               {
                  name: "SUSE-SR:2008:020",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://issues.rpath.com/browse/RPL-2341",
               },
               {
                  name: "[Dovecot-news] 20080309 Security hole #6: Some passdbs allowed users to log in without a valid password",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot-news/2008-March/000064.html",
               },
               {
                  name: "[Dovecot-news] 20080309 v1.0.13 and v1.1.rc3 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot-news/2008-March/000065.html",
               },
               {
                  name: "29226",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/29226",
               },
               {
                  name: "20080312 rPSA-2008-0108-1 dovecot",
                  tags: [
                     "mailing-list",
                     "x_refsource_BUGTRAQ",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/archive/1/489481/100/0/threaded",
               },
               {
                  name: "32151",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/32151",
               },
               {
                  name: "29385",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/29385",
               },
               {
                  name: "FEDORA-2008-2464",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html",
               },
               {
                  name: "28181",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/28181",
               },
               {
                  name: "29396",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/29396",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2008-03-09T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass the password check via a password containing TAB characters, which are treated as argument delimiters that enable the skip_password_check field to be specified.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2018-10-11T19:57:01",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               name: "GLSA-200803-25",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "http://security.gentoo.org/glsa/glsa-200803-25.xml",
            },
            {
               name: "29295",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/29295",
            },
            {
               name: "dovecot-tab-authentication-bypass(41085)",
               tags: [
                  "vdb-entry",
                  "x_refsource_XF",
               ],
               url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/41085",
            },
            {
               name: "5257",
               tags: [
                  "exploit",
                  "x_refsource_EXPLOIT-DB",
               ],
               url: "https://www.exploit-db.com/exploits/5257",
            },
            {
               name: "29557",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/29557",
            },
            {
               name: "DSA-1516",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "http://www.debian.org/security/2008/dsa-1516",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108",
            },
            {
               name: "USN-593-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/593-1/",
            },
            {
               name: "FEDORA-2008-2475",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html",
            },
            {
               name: "29364",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/29364",
            },
            {
               name: "SUSE-SR:2008:020",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://issues.rpath.com/browse/RPL-2341",
            },
            {
               name: "[Dovecot-news] 20080309 Security hole #6: Some passdbs allowed users to log in without a valid password",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot-news/2008-March/000064.html",
            },
            {
               name: "[Dovecot-news] 20080309 v1.0.13 and v1.1.rc3 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot-news/2008-March/000065.html",
            },
            {
               name: "29226",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/29226",
            },
            {
               name: "20080312 rPSA-2008-0108-1 dovecot",
               tags: [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
               ],
               url: "http://www.securityfocus.com/archive/1/489481/100/0/threaded",
            },
            {
               name: "32151",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/32151",
            },
            {
               name: "29385",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/29385",
            },
            {
               name: "FEDORA-2008-2464",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html",
            },
            {
               name: "28181",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/28181",
            },
            {
               name: "29396",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/29396",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2008-1218",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass the password check via a password containing TAB characters, which are treated as argument delimiters that enable the skip_password_check field to be specified.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "GLSA-200803-25",
                     refsource: "GENTOO",
                     url: "http://security.gentoo.org/glsa/glsa-200803-25.xml",
                  },
                  {
                     name: "29295",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/29295",
                  },
                  {
                     name: "dovecot-tab-authentication-bypass(41085)",
                     refsource: "XF",
                     url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/41085",
                  },
                  {
                     name: "5257",
                     refsource: "EXPLOIT-DB",
                     url: "https://www.exploit-db.com/exploits/5257",
                  },
                  {
                     name: "29557",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/29557",
                  },
                  {
                     name: "DSA-1516",
                     refsource: "DEBIAN",
                     url: "http://www.debian.org/security/2008/dsa-1516",
                  },
                  {
                     name: "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108",
                     refsource: "MISC",
                     url: "http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108",
                  },
                  {
                     name: "USN-593-1",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/593-1/",
                  },
                  {
                     name: "FEDORA-2008-2475",
                     refsource: "FEDORA",
                     url: "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html",
                  },
                  {
                     name: "29364",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/29364",
                  },
                  {
                     name: "SUSE-SR:2008:020",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html",
                  },
                  {
                     name: "https://issues.rpath.com/browse/RPL-2341",
                     refsource: "CONFIRM",
                     url: "https://issues.rpath.com/browse/RPL-2341",
                  },
                  {
                     name: "[Dovecot-news] 20080309 Security hole #6: Some passdbs allowed users to log in without a valid password",
                     refsource: "MLIST",
                     url: "http://www.dovecot.org/list/dovecot-news/2008-March/000064.html",
                  },
                  {
                     name: "[Dovecot-news] 20080309 v1.0.13 and v1.1.rc3 released",
                     refsource: "MLIST",
                     url: "http://www.dovecot.org/list/dovecot-news/2008-March/000065.html",
                  },
                  {
                     name: "29226",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/29226",
                  },
                  {
                     name: "20080312 rPSA-2008-0108-1 dovecot",
                     refsource: "BUGTRAQ",
                     url: "http://www.securityfocus.com/archive/1/489481/100/0/threaded",
                  },
                  {
                     name: "32151",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/32151",
                  },
                  {
                     name: "29385",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/29385",
                  },
                  {
                     name: "FEDORA-2008-2464",
                     refsource: "FEDORA",
                     url: "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html",
                  },
                  {
                     name: "28181",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/28181",
                  },
                  {
                     name: "29396",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/29396",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2008-1218",
      datePublished: "2008-03-10T23:00:00",
      dateReserved: "2008-03-09T00:00:00",
      dateUpdated: "2024-08-07T08:17:34.499Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2017-2669
Vulnerability from cvelistv5
Published
2018-06-21 13:00
Modified
2024-08-05 14:02
Summary
Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T14:02:06.877Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "[dovecot-news] 20170410 v2.2.29 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/pipermail/dovecot-news/2017-April/000341.html",
               },
               {
                  name: "[oss-security] 20170411 CVE-2017-2669: Dovecot DoS when passdb dict was used for authentication",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2017/04/11/1",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch",
               },
               {
                  name: "DSA-3828",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2017/dsa-3828",
               },
               {
                  name: "97536",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/97536",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "dovecot",
               vendor: "[UNKNOWN]",
               versions: [
                  {
                     status: "affected",
                     version: "dovecot 2.2.29",
                  },
               ],
            },
         ],
         datePublic: "2017-04-10T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang.",
            },
         ],
         metrics: [
            {
               cvssV3_0: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 3.7,
                  baseSeverity: "LOW",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  version: "3.0",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-20",
                     description: "CWE-20",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2018-06-22T09:57:01",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               name: "[dovecot-news] 20170410 v2.2.29 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://dovecot.org/pipermail/dovecot-news/2017-April/000341.html",
            },
            {
               name: "[oss-security] 20170411 CVE-2017-2669: Dovecot DoS when passdb dict was used for authentication",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2017/04/11/1",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch",
            },
            {
               name: "DSA-3828",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "https://www.debian.org/security/2017/dsa-3828",
            },
            {
               name: "97536",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/97536",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "secalert@redhat.com",
               ID: "CVE-2017-2669",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "dovecot",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "dovecot 2.2.29",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "[UNKNOWN]",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang.",
                  },
               ],
            },
            impact: {
               cvss: [
                  [
                     {
                        vectorString: "3.7/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                        version: "3.0",
                     },
                  ],
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-20",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "[dovecot-news] 20170410 v2.2.29 released",
                     refsource: "MLIST",
                     url: "https://dovecot.org/pipermail/dovecot-news/2017-April/000341.html",
                  },
                  {
                     name: "[oss-security] 20170411 CVE-2017-2669: Dovecot DoS when passdb dict was used for authentication",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2017/04/11/1",
                  },
                  {
                     name: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669",
                     refsource: "CONFIRM",
                     url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669",
                  },
                  {
                     name: "https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch",
                     refsource: "CONFIRM",
                     url: "https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch",
                  },
                  {
                     name: "DSA-3828",
                     refsource: "DEBIAN",
                     url: "https://www.debian.org/security/2017/dsa-3828",
                  },
                  {
                     name: "97536",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/97536",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2017-2669",
      datePublished: "2018-06-21T13:00:00",
      dateReserved: "2016-12-01T00:00:00",
      dateUpdated: "2024-08-05T14:02:06.877Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2007-2231
Vulnerability from cvelistv5
Published
2007-04-25 15:00
Modified
2024-08-07 13:33
Severity ?
Summary
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
References
http://www.ubuntu.com/usn/usn-487-1vendor-advisory, x_refsource_UBUNTU
http://secunia.com/advisories/30342third-party-advisory, x_refsource_SECUNIA
http://www.redhat.com/support/errata/RHSA-2008-0297.htmlvendor-advisory, x_refsource_REDHAT
http://www.securityfocus.com/bid/23552vdb-entry, x_refsource_BID
http://www.debian.org/security/2007/dsa-1359vendor-advisory, x_refsource_DEBIAN
http://dovecot.org/doc/NEWSx_refsource_CONFIRM
http://dovecot.org/list/dovecot-cvs/2007-March/008488.htmlmailing-list, x_refsource_MLIST
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995vdb-entry, signature, x_refsource_OVAL
https://exchange.xforce.ibmcloud.com/vulnerabilities/34082vdb-entry, x_refsource_XF
http://www.novell.com/linux/security/advisories/2007_8_sr.htmlvendor-advisory, x_refsource_SUSE
http://www.vupen.com/english/advisories/2007/1452vdb-entry, x_refsource_VUPEN
http://dovecot.org/list/dovecot-news/2007-March/000038.htmlmailing-list, x_refsource_MLIST
http://secunia.com/advisories/25072third-party-advisory, x_refsource_SECUNIA
http://www.securityfocus.com/archive/1/466168/100/0/threadedmailing-list, x_refsource_BUGTRAQ
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T13:33:27.439Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "USN-487-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "http://www.ubuntu.com/usn/usn-487-1",
               },
               {
                  name: "30342",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/30342",
               },
               {
                  name: "RHSA-2008:0297",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html",
               },
               {
                  name: "23552",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/23552",
               },
               {
                  name: "DSA-1359",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "http://www.debian.org/security/2007/dsa-1359",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://dovecot.org/doc/NEWS",
               },
               {
                  name: "[dovecot-cvs] 20070330 dovecot/src/lib-storage/index/mbox mbox-storage.c, 1.145.2.14, 1.145.2.15",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://dovecot.org/list/dovecot-cvs/2007-March/008488.html",
               },
               {
                  name: "oval:org.mitre.oval:def:10995",
                  tags: [
                     "vdb-entry",
                     "signature",
                     "x_refsource_OVAL",
                     "x_transferred",
                  ],
                  url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995",
               },
               {
                  name: "dovecot-mboxstorage-directory-traversal(34082)",
                  tags: [
                     "vdb-entry",
                     "x_refsource_XF",
                     "x_transferred",
                  ],
                  url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/34082",
               },
               {
                  name: "SUSE-SR:2007:008",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://www.novell.com/linux/security/advisories/2007_8_sr.html",
               },
               {
                  name: "ADV-2007-1452",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2007/1452",
               },
               {
                  name: "[dovecot-news] 20070330 Security hole #3: zlib plugin allows opening any gziped mboxes",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://dovecot.org/list/dovecot-news/2007-March/000038.html",
               },
               {
                  name: "25072",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/25072",
               },
               {
                  name: "20070418 rPSA-2007-0074-1 dovecot",
                  tags: [
                     "mailing-list",
                     "x_refsource_BUGTRAQ",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/archive/1/466168/100/0/threaded",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2007-04-18T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2018-10-16T14:57:01",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               name: "USN-487-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "http://www.ubuntu.com/usn/usn-487-1",
            },
            {
               name: "30342",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/30342",
            },
            {
               name: "RHSA-2008:0297",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html",
            },
            {
               name: "23552",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/23552",
            },
            {
               name: "DSA-1359",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "http://www.debian.org/security/2007/dsa-1359",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://dovecot.org/doc/NEWS",
            },
            {
               name: "[dovecot-cvs] 20070330 dovecot/src/lib-storage/index/mbox mbox-storage.c, 1.145.2.14, 1.145.2.15",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://dovecot.org/list/dovecot-cvs/2007-March/008488.html",
            },
            {
               name: "oval:org.mitre.oval:def:10995",
               tags: [
                  "vdb-entry",
                  "signature",
                  "x_refsource_OVAL",
               ],
               url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995",
            },
            {
               name: "dovecot-mboxstorage-directory-traversal(34082)",
               tags: [
                  "vdb-entry",
                  "x_refsource_XF",
               ],
               url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/34082",
            },
            {
               name: "SUSE-SR:2007:008",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://www.novell.com/linux/security/advisories/2007_8_sr.html",
            },
            {
               name: "ADV-2007-1452",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2007/1452",
            },
            {
               name: "[dovecot-news] 20070330 Security hole #3: zlib plugin allows opening any gziped mboxes",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://dovecot.org/list/dovecot-news/2007-March/000038.html",
            },
            {
               name: "25072",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/25072",
            },
            {
               name: "20070418 rPSA-2007-0074-1 dovecot",
               tags: [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
               ],
               url: "http://www.securityfocus.com/archive/1/466168/100/0/threaded",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2007-2231",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "USN-487-1",
                     refsource: "UBUNTU",
                     url: "http://www.ubuntu.com/usn/usn-487-1",
                  },
                  {
                     name: "30342",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/30342",
                  },
                  {
                     name: "RHSA-2008:0297",
                     refsource: "REDHAT",
                     url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html",
                  },
                  {
                     name: "23552",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/23552",
                  },
                  {
                     name: "DSA-1359",
                     refsource: "DEBIAN",
                     url: "http://www.debian.org/security/2007/dsa-1359",
                  },
                  {
                     name: "http://dovecot.org/doc/NEWS",
                     refsource: "CONFIRM",
                     url: "http://dovecot.org/doc/NEWS",
                  },
                  {
                     name: "[dovecot-cvs] 20070330 dovecot/src/lib-storage/index/mbox mbox-storage.c, 1.145.2.14, 1.145.2.15",
                     refsource: "MLIST",
                     url: "http://dovecot.org/list/dovecot-cvs/2007-March/008488.html",
                  },
                  {
                     name: "oval:org.mitre.oval:def:10995",
                     refsource: "OVAL",
                     url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10995",
                  },
                  {
                     name: "dovecot-mboxstorage-directory-traversal(34082)",
                     refsource: "XF",
                     url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/34082",
                  },
                  {
                     name: "SUSE-SR:2007:008",
                     refsource: "SUSE",
                     url: "http://www.novell.com/linux/security/advisories/2007_8_sr.html",
                  },
                  {
                     name: "ADV-2007-1452",
                     refsource: "VUPEN",
                     url: "http://www.vupen.com/english/advisories/2007/1452",
                  },
                  {
                     name: "[dovecot-news] 20070330 Security hole #3: zlib plugin allows opening any gziped mboxes",
                     refsource: "MLIST",
                     url: "http://dovecot.org/list/dovecot-news/2007-March/000038.html",
                  },
                  {
                     name: "25072",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/25072",
                  },
                  {
                     name: "20070418 rPSA-2007-0074-1 dovecot",
                     refsource: "BUGTRAQ",
                     url: "http://www.securityfocus.com/archive/1/466168/100/0/threaded",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2007-2231",
      datePublished: "2007-04-25T15:00:00",
      dateReserved: "2007-04-25T00:00:00",
      dateUpdated: "2024-08-07T13:33:27.439Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2017-15130
Vulnerability from cvelistv5
Published
2018-03-02 15:00
Modified
2024-09-16 20:17
Severity ?
Summary
A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart.
References
https://usn.ubuntu.com/3587-1/vendor-advisory, x_refsource_UBUNTU
http://seclists.org/oss-sec/2018/q1/205mailing-list, x_refsource_MLIST
https://lists.debian.org/debian-lts-announce/2018/03/msg00036.htmlmailing-list, x_refsource_MLIST
https://www.debian.org/security/2018/dsa-4130vendor-advisory, x_refsource_DEBIAN
https://usn.ubuntu.com/3587-2/vendor-advisory, x_refsource_UBUNTU
https://bugzilla.redhat.com/show_bug.cgi?id=1532356x_refsource_CONFIRM
https://www.dovecot.org/list/dovecot-news/2018-February/000370.htmlmailing-list, x_refsource_MLIST
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T19:50:16.075Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "USN-3587-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/3587-1/",
               },
               {
                  name: "[oss-security] 20180301 Dovecot Security Advisory: CVE-2017-15130 TLS SNI config lookups are inefficient and can be used for DoS",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://seclists.org/oss-sec/2018/q1/205",
               },
               {
                  name: "[debian-lts-announce] 20180331 [SECURITY] [DLA 1333-1] dovecot security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html",
               },
               {
                  name: "DSA-4130",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2018/dsa-4130",
               },
               {
                  name: "USN-3587-2",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/3587-2/",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://bugzilla.redhat.com/show_bug.cgi?id=1532356",
               },
               {
                  name: "[dovecot-news] 20180228 v2.2.34 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "dovecot",
               vendor: "The Dovecot Project",
               versions: [
                  {
                     status: "affected",
                     version: "before 2.2.34",
                  },
               ],
            },
         ],
         datePublic: "2018-02-28T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-400",
                     description: "CWE-400",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2018-04-03T09:57:01",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               name: "USN-3587-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/3587-1/",
            },
            {
               name: "[oss-security] 20180301 Dovecot Security Advisory: CVE-2017-15130 TLS SNI config lookups are inefficient and can be used for DoS",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://seclists.org/oss-sec/2018/q1/205",
            },
            {
               name: "[debian-lts-announce] 20180331 [SECURITY] [DLA 1333-1] dovecot security update",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html",
            },
            {
               name: "DSA-4130",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "https://www.debian.org/security/2018/dsa-4130",
            },
            {
               name: "USN-3587-2",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/3587-2/",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=1532356",
            },
            {
               name: "[dovecot-news] 20180228 v2.2.34 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "secalert@redhat.com",
               DATE_PUBLIC: "2018-02-28T00:00:00",
               ID: "CVE-2017-15130",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "dovecot",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "before 2.2.34",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "The Dovecot Project",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-400",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "USN-3587-1",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/3587-1/",
                  },
                  {
                     name: "[oss-security] 20180301 Dovecot Security Advisory: CVE-2017-15130 TLS SNI config lookups are inefficient and can be used for DoS",
                     refsource: "MLIST",
                     url: "http://seclists.org/oss-sec/2018/q1/205",
                  },
                  {
                     name: "[debian-lts-announce] 20180331 [SECURITY] [DLA 1333-1] dovecot security update",
                     refsource: "MLIST",
                     url: "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html",
                  },
                  {
                     name: "DSA-4130",
                     refsource: "DEBIAN",
                     url: "https://www.debian.org/security/2018/dsa-4130",
                  },
                  {
                     name: "USN-3587-2",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/3587-2/",
                  },
                  {
                     name: "https://bugzilla.redhat.com/show_bug.cgi?id=1532356",
                     refsource: "CONFIRM",
                     url: "https://bugzilla.redhat.com/show_bug.cgi?id=1532356",
                  },
                  {
                     name: "[dovecot-news] 20180228 v2.2.34 released",
                     refsource: "MLIST",
                     url: "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2017-15130",
      datePublished: "2018-03-02T15:00:00Z",
      dateReserved: "2017-10-08T00:00:00",
      dateUpdated: "2024-09-16T20:17:43.957Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2008-4578
Vulnerability from cvelistv5
Published
2008-10-15 20:00
Modified
2024-08-07 10:24
Severity ?
Summary
The ACL plugin in Dovecot before 1.1.4 allows attackers to bypass intended access restrictions by using the "k" right to create unauthorized "parent/child/child" mailboxes.
References
http://secunia.com/advisories/32164third-party-advisory, x_refsource_SECUNIA
https://exchange.xforce.ibmcloud.com/vulnerabilities/45669vdb-entry, x_refsource_XF
http://secunia.com/advisories/33149third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2008/2745vdb-entry, x_refsource_VUPEN
http://www.securityfocus.com/bid/31587vdb-entry, x_refsource_BID
http://www.mandriva.com/security/advisories?name=MDVSA-2008:232vendor-advisory, x_refsource_MANDRIVA
http://security.gentoo.org/glsa/glsa-200812-16.xmlvendor-advisory, x_refsource_GENTOO
http://bugs.gentoo.org/show_bug.cgi?id=240409x_refsource_CONFIRM
http://www.dovecot.org/list/dovecot-news/2008-October/000085.htmlmailing-list, x_refsource_MLIST
http://www.securityfocus.com/archive/1/498498/100/0/threadedmailing-list, x_refsource_BUGTRAQ
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T10:24:19.353Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "32164",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/32164",
               },
               {
                  name: "dovecot-acl-mailbox-security-bypass(45669)",
                  tags: [
                     "vdb-entry",
                     "x_refsource_XF",
                     "x_transferred",
                  ],
                  url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/45669",
               },
               {
                  name: "33149",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/33149",
               },
               {
                  name: "ADV-2008-2745",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2008/2745",
               },
               {
                  name: "31587",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/31587",
               },
               {
                  name: "MDVSA-2008:232",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_MANDRIVA",
                     "x_transferred",
                  ],
                  url: "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232",
               },
               {
                  name: "GLSA-200812-16",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "http://security.gentoo.org/glsa/glsa-200812-16.xml",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://bugs.gentoo.org/show_bug.cgi?id=240409",
               },
               {
                  name: "[Dovecot-news] 20081005 v1.1.4 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html",
               },
               {
                  name: "20081119 Re: [ MDVSA-2008:232 ] dovecot",
                  tags: [
                     "mailing-list",
                     "x_refsource_BUGTRAQ",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/archive/1/498498/100/0/threaded",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2008-10-05T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "The ACL plugin in Dovecot before 1.1.4 allows attackers to bypass intended access restrictions by using the \"k\" right to create unauthorized \"parent/child/child\" mailboxes.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2018-10-11T19:57:01",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               name: "32164",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/32164",
            },
            {
               name: "dovecot-acl-mailbox-security-bypass(45669)",
               tags: [
                  "vdb-entry",
                  "x_refsource_XF",
               ],
               url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/45669",
            },
            {
               name: "33149",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/33149",
            },
            {
               name: "ADV-2008-2745",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2008/2745",
            },
            {
               name: "31587",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/31587",
            },
            {
               name: "MDVSA-2008:232",
               tags: [
                  "vendor-advisory",
                  "x_refsource_MANDRIVA",
               ],
               url: "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232",
            },
            {
               name: "GLSA-200812-16",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "http://security.gentoo.org/glsa/glsa-200812-16.xml",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://bugs.gentoo.org/show_bug.cgi?id=240409",
            },
            {
               name: "[Dovecot-news] 20081005 v1.1.4 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html",
            },
            {
               name: "20081119 Re: [ MDVSA-2008:232 ] dovecot",
               tags: [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
               ],
               url: "http://www.securityfocus.com/archive/1/498498/100/0/threaded",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2008-4578",
      datePublished: "2008-10-15T20:00:00",
      dateReserved: "2008-10-15T00:00:00",
      dateUpdated: "2024-08-07T10:24:19.353Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2010-3706
Vulnerability from cvelistv5
Published
2010-10-06 16:00
Modified
2024-08-07 03:18
Severity ?
Summary
plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving the private namespace of a user, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T03:18:52.956Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "[oss-security] 20101004 Re: CVE Request: more dovecot ACL issues",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://marc.info/?l=oss-security&m=128622064325688&w=2",
               },
               {
                  name: "USN-1059-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "http://www.ubuntu.com/usn/USN-1059-1",
               },
               {
                  name: "SUSE-SR:2010:020",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html",
               },
               {
                  name: "ADV-2010-2572",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2010/2572",
               },
               {
                  name: "[oss-security] 20101004 CVE Request: more dovecot ACL issues",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://marc.info/?l=oss-security&m=128620520732377&w=2",
               },
               {
                  name: "MDVSA-2010:217",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_MANDRIVA",
                     "x_transferred",
                  ],
                  url: "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217",
               },
               {
                  name: "43220",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/43220",
               },
               {
                  name: "ADV-2011-0301",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2011/0301",
               },
               {
                  name: "[dovecot] 20101002 v1.2.15 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot/2010-October/053450.html",
               },
               {
                  name: "[dovecot] 20101002 ACL handling bugs in v1.2.8+ and v2.0",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot/2010-October/053452.html",
               },
               {
                  name: "ADV-2010-2840",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2010/2840",
               },
               {
                  name: "[dovecot] 20101002 v2.0.5 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot/2010-October/053451.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2010-10-02T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving the private namespace of a user, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2010-11-19T10:00:00",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               name: "[oss-security] 20101004 Re: CVE Request: more dovecot ACL issues",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://marc.info/?l=oss-security&m=128622064325688&w=2",
            },
            {
               name: "USN-1059-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "http://www.ubuntu.com/usn/USN-1059-1",
            },
            {
               name: "SUSE-SR:2010:020",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html",
            },
            {
               name: "ADV-2010-2572",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2010/2572",
            },
            {
               name: "[oss-security] 20101004 CVE Request: more dovecot ACL issues",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://marc.info/?l=oss-security&m=128620520732377&w=2",
            },
            {
               name: "MDVSA-2010:217",
               tags: [
                  "vendor-advisory",
                  "x_refsource_MANDRIVA",
               ],
               url: "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217",
            },
            {
               name: "43220",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/43220",
            },
            {
               name: "ADV-2011-0301",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2011/0301",
            },
            {
               name: "[dovecot] 20101002 v1.2.15 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot/2010-October/053450.html",
            },
            {
               name: "[dovecot] 20101002 ACL handling bugs in v1.2.8+ and v2.0",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot/2010-October/053452.html",
            },
            {
               name: "ADV-2010-2840",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2010/2840",
            },
            {
               name: "[dovecot] 20101002 v2.0.5 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot/2010-October/053451.html",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2010-3706",
      datePublished: "2010-10-06T16:00:00",
      dateReserved: "2010-10-01T00:00:00",
      dateUpdated: "2024-08-07T03:18:52.956Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2008-4577
Vulnerability from cvelistv5
Published
2008-10-15 20:00
Modified
2024-08-07 10:24
Severity ?
Summary
The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
References
http://secunia.com/advisories/32164third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/32471third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/33149third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2008/2745vdb-entry, x_refsource_VUPEN
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.htmlvendor-advisory, x_refsource_FEDORA
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376vdb-entry, signature, x_refsource_OVAL
http://www.securityfocus.com/bid/31587vdb-entry, x_refsource_BID
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.htmlvendor-advisory, x_refsource_FEDORA
http://www.mandriva.com/security/advisories?name=MDVSA-2008:232vendor-advisory, x_refsource_MANDRIVA
http://www.ubuntu.com/usn/USN-838-1vendor-advisory, x_refsource_UBUNTU
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlvendor-advisory, x_refsource_SUSE
http://security.gentoo.org/glsa/glsa-200812-16.xmlvendor-advisory, x_refsource_GENTOO
http://bugs.gentoo.org/show_bug.cgi?id=240409x_refsource_CONFIRM
http://www.redhat.com/support/errata/RHSA-2009-0205.htmlvendor-advisory, x_refsource_REDHAT
http://secunia.com/advisories/33624third-party-advisory, x_refsource_SECUNIA
http://www.dovecot.org/list/dovecot-news/2008-October/000085.htmlmailing-list, x_refsource_MLIST
http://secunia.com/advisories/36904third-party-advisory, x_refsource_SECUNIA
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T10:24:20.877Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "32164",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/32164",
               },
               {
                  name: "32471",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/32471",
               },
               {
                  name: "33149",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/33149",
               },
               {
                  name: "ADV-2008-2745",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2008/2745",
               },
               {
                  name: "FEDORA-2008-9202",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html",
               },
               {
                  name: "oval:org.mitre.oval:def:10376",
                  tags: [
                     "vdb-entry",
                     "signature",
                     "x_refsource_OVAL",
                     "x_transferred",
                  ],
                  url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376",
               },
               {
                  name: "31587",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/31587",
               },
               {
                  name: "FEDORA-2008-9232",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html",
               },
               {
                  name: "MDVSA-2008:232",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_MANDRIVA",
                     "x_transferred",
                  ],
                  url: "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232",
               },
               {
                  name: "USN-838-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "http://www.ubuntu.com/usn/USN-838-1",
               },
               {
                  name: "SUSE-SR:2009:004",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html",
               },
               {
                  name: "GLSA-200812-16",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "http://security.gentoo.org/glsa/glsa-200812-16.xml",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://bugs.gentoo.org/show_bug.cgi?id=240409",
               },
               {
                  name: "RHSA-2009:0205",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://www.redhat.com/support/errata/RHSA-2009-0205.html",
               },
               {
                  name: "33624",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/33624",
               },
               {
                  name: "[Dovecot-news] 20081005 v1.1.4 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html",
               },
               {
                  name: "36904",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/36904",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2008-10-05T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2017-09-28T12:57:01",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               name: "32164",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/32164",
            },
            {
               name: "32471",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/32471",
            },
            {
               name: "33149",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/33149",
            },
            {
               name: "ADV-2008-2745",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2008/2745",
            },
            {
               name: "FEDORA-2008-9202",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html",
            },
            {
               name: "oval:org.mitre.oval:def:10376",
               tags: [
                  "vdb-entry",
                  "signature",
                  "x_refsource_OVAL",
               ],
               url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376",
            },
            {
               name: "31587",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/31587",
            },
            {
               name: "FEDORA-2008-9232",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html",
            },
            {
               name: "MDVSA-2008:232",
               tags: [
                  "vendor-advisory",
                  "x_refsource_MANDRIVA",
               ],
               url: "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232",
            },
            {
               name: "USN-838-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "http://www.ubuntu.com/usn/USN-838-1",
            },
            {
               name: "SUSE-SR:2009:004",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html",
            },
            {
               name: "GLSA-200812-16",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "http://security.gentoo.org/glsa/glsa-200812-16.xml",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://bugs.gentoo.org/show_bug.cgi?id=240409",
            },
            {
               name: "RHSA-2009:0205",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://www.redhat.com/support/errata/RHSA-2009-0205.html",
            },
            {
               name: "33624",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/33624",
            },
            {
               name: "[Dovecot-news] 20081005 v1.1.4 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html",
            },
            {
               name: "36904",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/36904",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2008-4577",
      datePublished: "2008-10-15T20:00:00",
      dateReserved: "2008-10-15T00:00:00",
      dateUpdated: "2024-08-07T10:24:20.877Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-12673
Vulnerability from cvelistv5
Published
2020-08-12 15:18
Modified
2024-08-04 12:04
Severity ?
Summary
In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T12:04:22.551Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/security",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://www.openwall.com/lists/oss-security/2020/08/12/2",
               },
               {
                  name: "DSA-4745",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2020/dsa-4745",
               },
               {
                  name: "[debian-lts-announce] 20200815 [SECURITY] [DLA 2328-1] dovecot security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html",
               },
               {
                  name: "USN-4456-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/4456-1/",
               },
               {
                  name: "USN-4456-2",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/4456-2/",
               },
               {
                  name: "openSUSE-SU-2020:1241",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html",
               },
               {
                  name: "openSUSE-SU-2020:1262",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html",
               },
               {
                  name: "FEDORA-2020-cd8b8f887b",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/",
               },
               {
                  name: "GLSA-202009-02",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202009-02",
               },
               {
                  name: "FEDORA-2020-b8ebc4201e",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/",
               },
               {
                  name: "FEDORA-2020-d737c57172",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-10-13T21:06:10",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://dovecot.org/security",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://www.openwall.com/lists/oss-security/2020/08/12/2",
            },
            {
               name: "DSA-4745",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "https://www.debian.org/security/2020/dsa-4745",
            },
            {
               name: "[debian-lts-announce] 20200815 [SECURITY] [DLA 2328-1] dovecot security update",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html",
            },
            {
               name: "USN-4456-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/4456-1/",
            },
            {
               name: "USN-4456-2",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/4456-2/",
            },
            {
               name: "openSUSE-SU-2020:1241",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html",
            },
            {
               name: "openSUSE-SU-2020:1262",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html",
            },
            {
               name: "FEDORA-2020-cd8b8f887b",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/",
            },
            {
               name: "GLSA-202009-02",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "https://security.gentoo.org/glsa/202009-02",
            },
            {
               name: "FEDORA-2020-b8ebc4201e",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/",
            },
            {
               name: "FEDORA-2020-d737c57172",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2020-12673",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://dovecot.org/security",
                     refsource: "MISC",
                     url: "https://dovecot.org/security",
                  },
                  {
                     name: "https://www.openwall.com/lists/oss-security/2020/08/12/2",
                     refsource: "CONFIRM",
                     url: "https://www.openwall.com/lists/oss-security/2020/08/12/2",
                  },
                  {
                     name: "DSA-4745",
                     refsource: "DEBIAN",
                     url: "https://www.debian.org/security/2020/dsa-4745",
                  },
                  {
                     name: "[debian-lts-announce] 20200815 [SECURITY] [DLA 2328-1] dovecot security update",
                     refsource: "MLIST",
                     url: "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html",
                  },
                  {
                     name: "USN-4456-1",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/4456-1/",
                  },
                  {
                     name: "USN-4456-2",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/4456-2/",
                  },
                  {
                     name: "openSUSE-SU-2020:1241",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html",
                  },
                  {
                     name: "openSUSE-SU-2020:1262",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html",
                  },
                  {
                     name: "FEDORA-2020-cd8b8f887b",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/",
                  },
                  {
                     name: "GLSA-202009-02",
                     refsource: "GENTOO",
                     url: "https://security.gentoo.org/glsa/202009-02",
                  },
                  {
                     name: "FEDORA-2020-b8ebc4201e",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/",
                  },
                  {
                     name: "FEDORA-2020-d737c57172",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2020-12673",
      datePublished: "2020-08-12T15:18:13",
      dateReserved: "2020-05-06T00:00:00",
      dateUpdated: "2024-08-04T12:04:22.551Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2011-4318
Vulnerability from cvelistv5
Published
2013-03-07 01:00
Modified
2024-08-07 00:01
Severity ?
Summary
Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T00:01:51.650Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "46886",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/46886",
               },
               {
                  name: "RHSA-2013:0520",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://rhn.redhat.com/errata/RHSA-2013-0520.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://bugs.gentoo.org/show_bug.cgi?id=390887",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://bugzilla.redhat.com/show_bug.cgi?id=754980",
               },
               {
                  name: "52311",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/52311",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://hg.dovecot.org/dovecot-2.0/rev/5e9eaf63a6b1",
               },
               {
                  name: "[dovecot-news] 20111117 v2.0.16 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot-news/2011-November/000200.html",
               },
               {
                  name: "[oss-security] 20111118 Re: CVE Request -- Dovecot -- Validate certificate's  CN against requested remote server hostname when proxying",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2011/11/18/7",
               },
               {
                  name: "[oss-security] 20111118 Re: CVE Request -- Dovecot -- Validate certificate's  CN against requested remote server hostname when proxying",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2011/11/18/5",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2013-03-07T01:00:00Z",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               name: "46886",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/46886",
            },
            {
               name: "RHSA-2013:0520",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://rhn.redhat.com/errata/RHSA-2013-0520.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://bugs.gentoo.org/show_bug.cgi?id=390887",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=754980",
            },
            {
               name: "52311",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/52311",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://hg.dovecot.org/dovecot-2.0/rev/5e9eaf63a6b1",
            },
            {
               name: "[dovecot-news] 20111117 v2.0.16 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot-news/2011-November/000200.html",
            },
            {
               name: "[oss-security] 20111118 Re: CVE Request -- Dovecot -- Validate certificate's  CN against requested remote server hostname when proxying",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2011/11/18/7",
            },
            {
               name: "[oss-security] 20111118 Re: CVE Request -- Dovecot -- Validate certificate's  CN against requested remote server hostname when proxying",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2011/11/18/5",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2011-4318",
      datePublished: "2013-03-07T01:00:00Z",
      dateReserved: "2011-11-04T00:00:00Z",
      dateUpdated: "2024-08-07T00:01:51.650Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-10967
Vulnerability from cvelistv5
Published
2020-05-18 14:02
Modified
2024-08-04 11:21
Summary
In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart.
References
https://dovecot.org/securityx_refsource_MISC
https://www.openwall.com/lists/oss-security/2020/05/18/1x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2020/05/18/1mailing-list, x_refsource_MLIST
https://usn.ubuntu.com/4361-1/vendor-advisory, x_refsource_UBUNTU
http://seclists.org/fulldisclosure/2020/May/37mailing-list, x_refsource_FULLDISC
http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.htmlx_refsource_MISC
https://www.debian.org/security/2020/dsa-4690vendor-advisory, x_refsource_DEBIAN
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/vendor-advisory, x_refsource_FEDORA
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.htmlvendor-advisory, x_refsource_SUSE
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/vendor-advisory, x_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/vendor-advisory, x_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/vendor-advisory, x_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/vendor-advisory, x_refsource_FEDORA
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T11:21:14.414Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/security",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://www.openwall.com/lists/oss-security/2020/05/18/1",
               },
               {
                  name: "[oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2020/05/18/1",
               },
               {
                  name: "USN-4361-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/4361-1/",
               },
               {
                  name: "20200519 Multiple vulnerabilities in Dovecot IMAP server",
                  tags: [
                     "mailing-list",
                     "x_refsource_FULLDISC",
                     "x_transferred",
                  ],
                  url: "http://seclists.org/fulldisclosure/2020/May/37",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html",
               },
               {
                  name: "DSA-4690",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2020/dsa-4690",
               },
               {
                  name: "FEDORA-2020-1dee17d880",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/",
               },
               {
                  name: "openSUSE-SU-2020:0720",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html",
               },
               {
                  name: "FEDORA-2020-b60344c987",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/",
               },
               {
                  name: "FEDORA-2020-cd8b8f887b",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/",
               },
               {
                  name: "FEDORA-2020-b8ebc4201e",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/",
               },
               {
                  name: "FEDORA-2020-d737c57172",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart.",
            },
         ],
         metrics: [
            {
               cvssV3_0: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AC:L/AV:N/A:L/C:N/I:N/PR:N/S:U/UI:N",
                  version: "3.0",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-10-13T21:06:08",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://dovecot.org/security",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://www.openwall.com/lists/oss-security/2020/05/18/1",
            },
            {
               name: "[oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2020/05/18/1",
            },
            {
               name: "USN-4361-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/4361-1/",
            },
            {
               name: "20200519 Multiple vulnerabilities in Dovecot IMAP server",
               tags: [
                  "mailing-list",
                  "x_refsource_FULLDISC",
               ],
               url: "http://seclists.org/fulldisclosure/2020/May/37",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html",
            },
            {
               name: "DSA-4690",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "https://www.debian.org/security/2020/dsa-4690",
            },
            {
               name: "FEDORA-2020-1dee17d880",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/",
            },
            {
               name: "openSUSE-SU-2020:0720",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html",
            },
            {
               name: "FEDORA-2020-b60344c987",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/",
            },
            {
               name: "FEDORA-2020-cd8b8f887b",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/",
            },
            {
               name: "FEDORA-2020-b8ebc4201e",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/",
            },
            {
               name: "FEDORA-2020-d737c57172",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2020-10967",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart.",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AC:L/AV:N/A:L/C:N/I:N/PR:N/S:U/UI:N",
                  version: "3.0",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://dovecot.org/security",
                     refsource: "MISC",
                     url: "https://dovecot.org/security",
                  },
                  {
                     name: "https://www.openwall.com/lists/oss-security/2020/05/18/1",
                     refsource: "CONFIRM",
                     url: "https://www.openwall.com/lists/oss-security/2020/05/18/1",
                  },
                  {
                     name: "[oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2020/05/18/1",
                  },
                  {
                     name: "USN-4361-1",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/4361-1/",
                  },
                  {
                     name: "20200519 Multiple vulnerabilities in Dovecot IMAP server",
                     refsource: "FULLDISC",
                     url: "http://seclists.org/fulldisclosure/2020/May/37",
                  },
                  {
                     name: "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html",
                     refsource: "MISC",
                     url: "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html",
                  },
                  {
                     name: "DSA-4690",
                     refsource: "DEBIAN",
                     url: "https://www.debian.org/security/2020/dsa-4690",
                  },
                  {
                     name: "FEDORA-2020-1dee17d880",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/",
                  },
                  {
                     name: "openSUSE-SU-2020:0720",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html",
                  },
                  {
                     name: "FEDORA-2020-b60344c987",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/",
                  },
                  {
                     name: "FEDORA-2020-cd8b8f887b",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/",
                  },
                  {
                     name: "FEDORA-2020-b8ebc4201e",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/",
                  },
                  {
                     name: "FEDORA-2020-d737c57172",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2020-10967",
      datePublished: "2020-05-18T14:02:55",
      dateReserved: "2020-03-26T00:00:00",
      dateUpdated: "2024-08-04T11:21:14.414Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-10957
Vulnerability from cvelistv5
Published
2020-05-18 13:56
Modified
2024-08-04 11:21
Summary
In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T11:21:13.823Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/security",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://www.openwall.com/lists/oss-security/2020/05/18/1",
               },
               {
                  name: "[oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2020/05/18/1",
               },
               {
                  name: "USN-4361-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/4361-1/",
               },
               {
                  name: "20200519 Multiple vulnerabilities in Dovecot IMAP server",
                  tags: [
                     "mailing-list",
                     "x_refsource_FULLDISC",
                     "x_transferred",
                  ],
                  url: "http://seclists.org/fulldisclosure/2020/May/37",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html",
               },
               {
                  name: "DSA-4690",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2020/dsa-4690",
               },
               {
                  name: "FEDORA-2020-1dee17d880",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/",
               },
               {
                  name: "openSUSE-SU-2020:0720",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html",
               },
               {
                  name: "FEDORA-2020-b60344c987",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp.",
            },
         ],
         metrics: [
            {
               cvssV3_0: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AC:L/AV:N/A:H/C:N/I:N/PR:N/S:U/UI:N",
                  version: "3.0",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-05-28T03:06:11",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://dovecot.org/security",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://www.openwall.com/lists/oss-security/2020/05/18/1",
            },
            {
               name: "[oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2020/05/18/1",
            },
            {
               name: "USN-4361-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/4361-1/",
            },
            {
               name: "20200519 Multiple vulnerabilities in Dovecot IMAP server",
               tags: [
                  "mailing-list",
                  "x_refsource_FULLDISC",
               ],
               url: "http://seclists.org/fulldisclosure/2020/May/37",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html",
            },
            {
               name: "DSA-4690",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "https://www.debian.org/security/2020/dsa-4690",
            },
            {
               name: "FEDORA-2020-1dee17d880",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/",
            },
            {
               name: "openSUSE-SU-2020:0720",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html",
            },
            {
               name: "FEDORA-2020-b60344c987",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2020-10957",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp.",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AC:L/AV:N/A:H/C:N/I:N/PR:N/S:U/UI:N",
                  version: "3.0",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://dovecot.org/security",
                     refsource: "MISC",
                     url: "https://dovecot.org/security",
                  },
                  {
                     name: "https://www.openwall.com/lists/oss-security/2020/05/18/1",
                     refsource: "CONFIRM",
                     url: "https://www.openwall.com/lists/oss-security/2020/05/18/1",
                  },
                  {
                     name: "[oss-security] 20200518 Multiple vulnerabilities in Dovecot IMAP server",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2020/05/18/1",
                  },
                  {
                     name: "USN-4361-1",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/4361-1/",
                  },
                  {
                     name: "20200519 Multiple vulnerabilities in Dovecot IMAP server",
                     refsource: "FULLDISC",
                     url: "http://seclists.org/fulldisclosure/2020/May/37",
                  },
                  {
                     name: "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html",
                     refsource: "MISC",
                     url: "http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html",
                  },
                  {
                     name: "DSA-4690",
                     refsource: "DEBIAN",
                     url: "https://www.debian.org/security/2020/dsa-4690",
                  },
                  {
                     name: "FEDORA-2020-1dee17d880",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/",
                  },
                  {
                     name: "openSUSE-SU-2020:0720",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html",
                  },
                  {
                     name: "FEDORA-2020-b60344c987",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2020-10957",
      datePublished: "2020-05-18T13:56:25",
      dateReserved: "2020-03-25T00:00:00",
      dateUpdated: "2024-08-04T11:21:13.823Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2011-2166
Vulnerability from cvelistv5
Published
2011-05-24 23:00
Modified
2024-08-06 22:53
Severity ?
Summary
script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script.
References
http://www.dovecot.org/doc/NEWS-2.0x_refsource_CONFIRM
http://dovecot.org/pipermail/dovecot/2011-May/059085.htmlmailing-list, x_refsource_MLIST
http://rhn.redhat.com/errata/RHSA-2013-0520.htmlvendor-advisory, x_refsource_REDHAT
http://secunia.com/advisories/52311third-party-advisory, x_refsource_SECUNIA
http://www.securityfocus.com/bid/48003vdb-entry, x_refsource_BID
http://openwall.com/lists/oss-security/2011/05/18/4mailing-list, x_refsource_MLIST
https://exchange.xforce.ibmcloud.com/vulnerabilities/67675vdb-entry, x_refsource_XF
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-06T22:53:17.033Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/doc/NEWS-2.0",
               },
               {
                  name: "[dovecot] 20110511 v2.0.13 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://dovecot.org/pipermail/dovecot/2011-May/059085.html",
               },
               {
                  name: "RHSA-2013:0520",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://rhn.redhat.com/errata/RHSA-2013-0520.html",
               },
               {
                  name: "52311",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/52311",
               },
               {
                  name: "48003",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/48003",
               },
               {
                  name: "[oss-security] 20110518 Dovecot releases",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://openwall.com/lists/oss-security/2011/05/18/4",
               },
               {
                  name: "dovecot-scriptlogin-sec-bypass(67675)",
                  tags: [
                     "vdb-entry",
                     "x_refsource_XF",
                     "x_transferred",
                  ],
                  url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/67675",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2011-05-11T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2017-08-28T12:57:01",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://www.dovecot.org/doc/NEWS-2.0",
            },
            {
               name: "[dovecot] 20110511 v2.0.13 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://dovecot.org/pipermail/dovecot/2011-May/059085.html",
            },
            {
               name: "RHSA-2013:0520",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://rhn.redhat.com/errata/RHSA-2013-0520.html",
            },
            {
               name: "52311",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/52311",
            },
            {
               name: "48003",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/48003",
            },
            {
               name: "[oss-security] 20110518 Dovecot releases",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://openwall.com/lists/oss-security/2011/05/18/4",
            },
            {
               name: "dovecot-scriptlogin-sec-bypass(67675)",
               tags: [
                  "vdb-entry",
                  "x_refsource_XF",
               ],
               url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/67675",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2011-2166",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "http://www.dovecot.org/doc/NEWS-2.0",
                     refsource: "CONFIRM",
                     url: "http://www.dovecot.org/doc/NEWS-2.0",
                  },
                  {
                     name: "[dovecot] 20110511 v2.0.13 released",
                     refsource: "MLIST",
                     url: "http://dovecot.org/pipermail/dovecot/2011-May/059085.html",
                  },
                  {
                     name: "RHSA-2013:0520",
                     refsource: "REDHAT",
                     url: "http://rhn.redhat.com/errata/RHSA-2013-0520.html",
                  },
                  {
                     name: "52311",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/52311",
                  },
                  {
                     name: "48003",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/48003",
                  },
                  {
                     name: "[oss-security] 20110518 Dovecot releases",
                     refsource: "MLIST",
                     url: "http://openwall.com/lists/oss-security/2011/05/18/4",
                  },
                  {
                     name: "dovecot-scriptlogin-sec-bypass(67675)",
                     refsource: "XF",
                     url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/67675",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2011-2166",
      datePublished: "2011-05-24T23:00:00",
      dateReserved: "2011-05-24T00:00:00",
      dateUpdated: "2024-08-06T22:53:17.033Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2017-14461
Vulnerability from cvelistv5
Published
2018-03-02 15:00
Modified
2024-09-16 23:00
Summary
A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server.
References
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T19:27:40.633Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "USN-3587-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/3587-1/",
               },
               {
                  name: "[debian-lts-announce] 20180331 [SECURITY] [DLA 1333-1] dovecot security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html",
               },
               {
                  name: "DSA-4130",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2018/dsa-4130",
               },
               {
                  name: "USN-3587-2",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/3587-2/",
               },
               {
                  name: "103201",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/103201",
               },
               {
                  name: "[dovecot-news] 20180228 v2.2.34 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://talosintelligence.com/vulnerability_reports/TALOS-2017-0510",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "Dovecot",
               vendor: "The Dovecot Project",
               versions: [
                  {
                     status: "affected",
                     version: "2.2.33.2",
                  },
               ],
            },
         ],
         datePublic: "2018-02-28T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server.",
            },
         ],
         metrics: [
            {
               cvssV3_0: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 5.9,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H",
                  version: "3.0",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-125",
                     description: "CWE-125: Out-of-bounds Read",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-04-19T18:21:09",
            orgId: "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
            shortName: "talos",
         },
         references: [
            {
               name: "USN-3587-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/3587-1/",
            },
            {
               name: "[debian-lts-announce] 20180331 [SECURITY] [DLA 1333-1] dovecot security update",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html",
            },
            {
               name: "DSA-4130",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "https://www.debian.org/security/2018/dsa-4130",
            },
            {
               name: "USN-3587-2",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/3587-2/",
            },
            {
               name: "103201",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/103201",
            },
            {
               name: "[dovecot-news] 20180228 v2.2.34 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://talosintelligence.com/vulnerability_reports/TALOS-2017-0510",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "talos-cna@cisco.com",
               DATE_PUBLIC: "2018-02-28T00:00:00",
               ID: "CVE-2017-14461",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "Dovecot",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "2.2.33.2",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "The Dovecot Project",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server.",
                  },
               ],
            },
            impact: {
               cvss: {
                  baseScore: 5.9,
                  baseSeverity: "Medium",
                  vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H",
                  version: "3.0",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-125: Out-of-bounds Read",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "USN-3587-1",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/3587-1/",
                  },
                  {
                     name: "[debian-lts-announce] 20180331 [SECURITY] [DLA 1333-1] dovecot security update",
                     refsource: "MLIST",
                     url: "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html",
                  },
                  {
                     name: "DSA-4130",
                     refsource: "DEBIAN",
                     url: "https://www.debian.org/security/2018/dsa-4130",
                  },
                  {
                     name: "USN-3587-2",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/3587-2/",
                  },
                  {
                     name: "103201",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/103201",
                  },
                  {
                     name: "[dovecot-news] 20180228 v2.2.34 released",
                     refsource: "MLIST",
                     url: "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html",
                  },
                  {
                     name: "https://talosintelligence.com/vulnerability_reports/TALOS-2017-0510",
                     refsource: "MISC",
                     url: "https://talosintelligence.com/vulnerability_reports/TALOS-2017-0510",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
      assignerShortName: "talos",
      cveId: "CVE-2017-14461",
      datePublished: "2018-03-02T15:00:00Z",
      dateReserved: "2017-09-13T00:00:00",
      dateUpdated: "2024-09-16T23:00:46.355Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-7046
Vulnerability from cvelistv5
Published
2020-02-12 16:40
Modified
2024-08-04 09:18
Summary
lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T09:18:02.989Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/security",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2020/02/12/1",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html",
               },
               {
                  name: "FEDORA-2020-10a58fda28",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/",
               },
               {
                  name: "FEDORA-2020-0e6a67af5a",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop.",
            },
         ],
         metrics: [
            {
               cvssV3_0: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AC:L/AV:N/A:H/C:N/I:N/PR:N/S:U/UI:N",
                  version: "3.0",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-02-20T06:06:10",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://dovecot.org/security",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://www.openwall.com/lists/oss-security/2020/02/12/1",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html",
            },
            {
               name: "FEDORA-2020-10a58fda28",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/",
            },
            {
               name: "FEDORA-2020-0e6a67af5a",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2020-7046",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop.",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AC:L/AV:N/A:H/C:N/I:N/PR:N/S:U/UI:N",
                  version: "3.0",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://dovecot.org/security",
                     refsource: "MISC",
                     url: "https://dovecot.org/security",
                  },
                  {
                     name: "http://www.openwall.com/lists/oss-security/2020/02/12/1",
                     refsource: "CONFIRM",
                     url: "http://www.openwall.com/lists/oss-security/2020/02/12/1",
                  },
                  {
                     name: "https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html",
                     refsource: "CONFIRM",
                     url: "https://dovecot.org/pipermail/dovecot-news/2020-February/000431.html",
                  },
                  {
                     name: "FEDORA-2020-10a58fda28",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XYT55WH372BJOXCJRKBDIFGBMPVOIDT/",
                  },
                  {
                     name: "FEDORA-2020-0e6a67af5a",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA/",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2020-7046",
      datePublished: "2020-02-12T16:40:16",
      dateReserved: "2020-01-14T00:00:00",
      dateUpdated: "2024-08-04T09:18:02.989Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2008-1199
Vulnerability from cvelistv5
Published
2008-03-06 21:00
Modified
2024-08-07 08:17
Severity ?
Summary
Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.
References
http://security.gentoo.org/glsa/glsa-200803-25.xmlvendor-advisory, x_refsource_GENTOO
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739vdb-entry, signature, x_refsource_OVAL
http://www.dovecot.org/list/dovecot-news/2008-March/000061.htmlmailing-list, x_refsource_MLIST
http://secunia.com/advisories/29557third-party-advisory, x_refsource_SECUNIA
http://www.securityfocus.com/archive/1/489133/100/0/threadedmailing-list, x_refsource_BUGTRAQ
http://secunia.com/advisories/30342third-party-advisory, x_refsource_SECUNIA
http://www.redhat.com/support/errata/RHSA-2008-0297.htmlvendor-advisory, x_refsource_REDHAT
http://www.debian.org/security/2008/dsa-1516vendor-advisory, x_refsource_DEBIAN
https://usn.ubuntu.com/593-1/vendor-advisory, x_refsource_UBUNTU
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.htmlvendor-advisory, x_refsource_FEDORA
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.htmlvendor-advisory, x_refsource_SUSE
http://www.securityfocus.com/bid/28092vdb-entry, x_refsource_BID
http://secunia.com/advisories/29226third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/32151third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/29385third-party-advisory, x_refsource_SECUNIA
https://exchange.xforce.ibmcloud.com/vulnerabilities/41009vdb-entry, x_refsource_XF
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.htmlvendor-advisory, x_refsource_FEDORA
http://secunia.com/advisories/29396third-party-advisory, x_refsource_SECUNIA
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T08:17:33.897Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "GLSA-200803-25",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "http://security.gentoo.org/glsa/glsa-200803-25.xml",
               },
               {
                  name: "oval:org.mitre.oval:def:10739",
                  tags: [
                     "vdb-entry",
                     "signature",
                     "x_refsource_OVAL",
                     "x_transferred",
                  ],
                  url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739",
               },
               {
                  name: "[Dovecot-news] 20080504 v1.0.11 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html",
               },
               {
                  name: "29557",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/29557",
               },
               {
                  name: "20080304 Dovecot mail_extra_groups setting is often used insecurely",
                  tags: [
                     "mailing-list",
                     "x_refsource_BUGTRAQ",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/archive/1/489133/100/0/threaded",
               },
               {
                  name: "30342",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/30342",
               },
               {
                  name: "RHSA-2008:0297",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html",
               },
               {
                  name: "DSA-1516",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "http://www.debian.org/security/2008/dsa-1516",
               },
               {
                  name: "USN-593-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/593-1/",
               },
               {
                  name: "FEDORA-2008-2475",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html",
               },
               {
                  name: "SUSE-SR:2008:020",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html",
               },
               {
                  name: "28092",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/28092",
               },
               {
                  name: "29226",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/29226",
               },
               {
                  name: "32151",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/32151",
               },
               {
                  name: "29385",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/29385",
               },
               {
                  name: "dovecot-mailextragroups-unauth-access(41009)",
                  tags: [
                     "vdb-entry",
                     "x_refsource_XF",
                     "x_transferred",
                  ],
                  url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009",
               },
               {
                  name: "FEDORA-2008-2464",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html",
               },
               {
                  name: "29396",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/29396",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2008-03-04T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2018-10-11T19:57:01",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               name: "GLSA-200803-25",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "http://security.gentoo.org/glsa/glsa-200803-25.xml",
            },
            {
               name: "oval:org.mitre.oval:def:10739",
               tags: [
                  "vdb-entry",
                  "signature",
                  "x_refsource_OVAL",
               ],
               url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739",
            },
            {
               name: "[Dovecot-news] 20080504 v1.0.11 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html",
            },
            {
               name: "29557",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/29557",
            },
            {
               name: "20080304 Dovecot mail_extra_groups setting is often used insecurely",
               tags: [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
               ],
               url: "http://www.securityfocus.com/archive/1/489133/100/0/threaded",
            },
            {
               name: "30342",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/30342",
            },
            {
               name: "RHSA-2008:0297",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html",
            },
            {
               name: "DSA-1516",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "http://www.debian.org/security/2008/dsa-1516",
            },
            {
               name: "USN-593-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/593-1/",
            },
            {
               name: "FEDORA-2008-2475",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html",
            },
            {
               name: "SUSE-SR:2008:020",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html",
            },
            {
               name: "28092",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/28092",
            },
            {
               name: "29226",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/29226",
            },
            {
               name: "32151",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/32151",
            },
            {
               name: "29385",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/29385",
            },
            {
               name: "dovecot-mailextragroups-unauth-access(41009)",
               tags: [
                  "vdb-entry",
                  "x_refsource_XF",
               ],
               url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009",
            },
            {
               name: "FEDORA-2008-2464",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html",
            },
            {
               name: "29396",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/29396",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2008-1199",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "GLSA-200803-25",
                     refsource: "GENTOO",
                     url: "http://security.gentoo.org/glsa/glsa-200803-25.xml",
                  },
                  {
                     name: "oval:org.mitre.oval:def:10739",
                     refsource: "OVAL",
                     url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739",
                  },
                  {
                     name: "[Dovecot-news] 20080504 v1.0.11 released",
                     refsource: "MLIST",
                     url: "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html",
                  },
                  {
                     name: "29557",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/29557",
                  },
                  {
                     name: "20080304 Dovecot mail_extra_groups setting is often used insecurely",
                     refsource: "BUGTRAQ",
                     url: "http://www.securityfocus.com/archive/1/489133/100/0/threaded",
                  },
                  {
                     name: "30342",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/30342",
                  },
                  {
                     name: "RHSA-2008:0297",
                     refsource: "REDHAT",
                     url: "http://www.redhat.com/support/errata/RHSA-2008-0297.html",
                  },
                  {
                     name: "DSA-1516",
                     refsource: "DEBIAN",
                     url: "http://www.debian.org/security/2008/dsa-1516",
                  },
                  {
                     name: "USN-593-1",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/593-1/",
                  },
                  {
                     name: "FEDORA-2008-2475",
                     refsource: "FEDORA",
                     url: "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html",
                  },
                  {
                     name: "SUSE-SR:2008:020",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html",
                  },
                  {
                     name: "28092",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/28092",
                  },
                  {
                     name: "29226",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/29226",
                  },
                  {
                     name: "32151",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/32151",
                  },
                  {
                     name: "29385",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/29385",
                  },
                  {
                     name: "dovecot-mailextragroups-unauth-access(41009)",
                     refsource: "XF",
                     url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009",
                  },
                  {
                     name: "FEDORA-2008-2464",
                     refsource: "FEDORA",
                     url: "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html",
                  },
                  {
                     name: "29396",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/29396",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2008-1199",
      datePublished: "2008-03-06T21:00:00",
      dateReserved: "2008-03-06T00:00:00",
      dateUpdated: "2024-08-07T08:17:33.897Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2008-4870
Vulnerability from cvelistv5
Published
2008-10-31 22:00
Modified
2024-08-07 10:31
Severity ?
Summary
dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.
References
http://secunia.com/advisories/32164third-party-advisory, x_refsource_SECUNIA
http://www.openwall.com/lists/oss-security/2008/10/29/10mailing-list, x_refsource_MLIST
http://secunia.com/advisories/33149third-party-advisory, x_refsource_SECUNIA
https://exchange.xforce.ibmcloud.com/vulnerabilities/46323vdb-entry, x_refsource_XF
https://bugzilla.redhat.com/show_bug.cgi?id=436287x_refsource_CONFIRM
http://security.gentoo.org/glsa/glsa-200812-16.xmlvendor-advisory, x_refsource_GENTOO
http://www.redhat.com/support/errata/RHSA-2009-0205.htmlvendor-advisory, x_refsource_REDHAT
http://secunia.com/advisories/33624third-party-advisory, x_refsource_SECUNIA
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776vdb-entry, signature, x_refsource_OVAL
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T10:31:27.923Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "32164",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/32164",
               },
               {
                  name: "[oss-security] 20081029 CVE Request (dovecot)",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2008/10/29/10",
               },
               {
                  name: "33149",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/33149",
               },
               {
                  name: "dovecot-dovecot-information-disclosure(46323)",
                  tags: [
                     "vdb-entry",
                     "x_refsource_XF",
                     "x_transferred",
                  ],
                  url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/46323",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://bugzilla.redhat.com/show_bug.cgi?id=436287",
               },
               {
                  name: "GLSA-200812-16",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "http://security.gentoo.org/glsa/glsa-200812-16.xml",
               },
               {
                  name: "RHSA-2009:0205",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://www.redhat.com/support/errata/RHSA-2009-0205.html",
               },
               {
                  name: "33624",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/33624",
               },
               {
                  name: "oval:org.mitre.oval:def:10776",
                  tags: [
                     "vdb-entry",
                     "signature",
                     "x_refsource_OVAL",
                     "x_transferred",
                  ],
                  url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2008-10-29T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2017-09-28T12:57:01",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               name: "32164",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/32164",
            },
            {
               name: "[oss-security] 20081029 CVE Request (dovecot)",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2008/10/29/10",
            },
            {
               name: "33149",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/33149",
            },
            {
               name: "dovecot-dovecot-information-disclosure(46323)",
               tags: [
                  "vdb-entry",
                  "x_refsource_XF",
               ],
               url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/46323",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=436287",
            },
            {
               name: "GLSA-200812-16",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "http://security.gentoo.org/glsa/glsa-200812-16.xml",
            },
            {
               name: "RHSA-2009:0205",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://www.redhat.com/support/errata/RHSA-2009-0205.html",
            },
            {
               name: "33624",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/33624",
            },
            {
               name: "oval:org.mitre.oval:def:10776",
               tags: [
                  "vdb-entry",
                  "signature",
                  "x_refsource_OVAL",
               ],
               url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2008-4870",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "32164",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/32164",
                  },
                  {
                     name: "[oss-security] 20081029 CVE Request (dovecot)",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2008/10/29/10",
                  },
                  {
                     name: "33149",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/33149",
                  },
                  {
                     name: "dovecot-dovecot-information-disclosure(46323)",
                     refsource: "XF",
                     url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/46323",
                  },
                  {
                     name: "https://bugzilla.redhat.com/show_bug.cgi?id=436287",
                     refsource: "CONFIRM",
                     url: "https://bugzilla.redhat.com/show_bug.cgi?id=436287",
                  },
                  {
                     name: "GLSA-200812-16",
                     refsource: "GENTOO",
                     url: "http://security.gentoo.org/glsa/glsa-200812-16.xml",
                  },
                  {
                     name: "RHSA-2009:0205",
                     refsource: "REDHAT",
                     url: "http://www.redhat.com/support/errata/RHSA-2009-0205.html",
                  },
                  {
                     name: "33624",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/33624",
                  },
                  {
                     name: "oval:org.mitre.oval:def:10776",
                     refsource: "OVAL",
                     url: "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10776",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2008-4870",
      datePublished: "2008-10-31T22:00:00",
      dateReserved: "2008-10-31T00:00:00",
      dateUpdated: "2024-08-07T10:31:27.923Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2019-11500
Vulnerability from cvelistv5
Published
2019-08-29 13:51
Modified
2024-08-04 22:55
Severity ?
Summary
In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T22:55:40.604Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.dovecot.org/security.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2019/08/28/3",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/pipermail/dovecot-news/2019-August/000417.html",
               },
               {
                  name: "[debian-lts-announce] 20190829 [SECURITY] [DLA 1901-1] dovecot security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2019/08/msg00035.html",
               },
               {
                  name: "FEDORA-2019-3844281be1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GYTZLLDNIFWT7D7JSB25ERJNMOR4CQ3/",
               },
               {
                  name: "GLSA-201908-29",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/201908-29",
               },
               {
                  name: "FEDORA-2019-59d60bd1fa",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KVHY3MU2OK2EWZJFGNDSAOMD42L7DFPX/",
               },
               {
                  name: "FEDORA-2019-ea638fb605",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSJVVVRAE3SITC2ZLGCPMFDN3WVYZBWF/",
               },
               {
                  name: "RHSA-2019:2822",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "https://access.redhat.com/errata/RHSA-2019:2822",
               },
               {
                  name: "RHSA-2019:2836",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "https://access.redhat.com/errata/RHSA-2019:2836",
               },
               {
                  name: "RHSA-2019:2885",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "https://access.redhat.com/errata/RHSA-2019:2885",
               },
               {
                  name: "openSUSE-SU-2019:2281",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html",
               },
               {
                  name: "openSUSE-SU-2019:2278",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2019-10-07T20:06:11",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.dovecot.org/security.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://www.openwall.com/lists/oss-security/2019/08/28/3",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://dovecot.org/pipermail/dovecot-news/2019-August/000417.html",
            },
            {
               name: "[debian-lts-announce] 20190829 [SECURITY] [DLA 1901-1] dovecot security update",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2019/08/msg00035.html",
            },
            {
               name: "FEDORA-2019-3844281be1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GYTZLLDNIFWT7D7JSB25ERJNMOR4CQ3/",
            },
            {
               name: "GLSA-201908-29",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "https://security.gentoo.org/glsa/201908-29",
            },
            {
               name: "FEDORA-2019-59d60bd1fa",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KVHY3MU2OK2EWZJFGNDSAOMD42L7DFPX/",
            },
            {
               name: "FEDORA-2019-ea638fb605",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSJVVVRAE3SITC2ZLGCPMFDN3WVYZBWF/",
            },
            {
               name: "RHSA-2019:2822",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/errata/RHSA-2019:2822",
            },
            {
               name: "RHSA-2019:2836",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/errata/RHSA-2019:2836",
            },
            {
               name: "RHSA-2019:2885",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/errata/RHSA-2019:2885",
            },
            {
               name: "openSUSE-SU-2019:2281",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html",
            },
            {
               name: "openSUSE-SU-2019:2278",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2019-11500",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://www.dovecot.org/security.html",
                     refsource: "MISC",
                     url: "https://www.dovecot.org/security.html",
                  },
                  {
                     name: "http://www.openwall.com/lists/oss-security/2019/08/28/3",
                     refsource: "CONFIRM",
                     url: "http://www.openwall.com/lists/oss-security/2019/08/28/3",
                  },
                  {
                     name: "https://dovecot.org/pipermail/dovecot-news/2019-August/000417.html",
                     refsource: "CONFIRM",
                     url: "https://dovecot.org/pipermail/dovecot-news/2019-August/000417.html",
                  },
                  {
                     name: "[debian-lts-announce] 20190829 [SECURITY] [DLA 1901-1] dovecot security update",
                     refsource: "MLIST",
                     url: "https://lists.debian.org/debian-lts-announce/2019/08/msg00035.html",
                  },
                  {
                     name: "FEDORA-2019-3844281be1",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3GYTZLLDNIFWT7D7JSB25ERJNMOR4CQ3/",
                  },
                  {
                     name: "GLSA-201908-29",
                     refsource: "GENTOO",
                     url: "https://security.gentoo.org/glsa/201908-29",
                  },
                  {
                     name: "FEDORA-2019-59d60bd1fa",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KVHY3MU2OK2EWZJFGNDSAOMD42L7DFPX/",
                  },
                  {
                     name: "FEDORA-2019-ea638fb605",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YSJVVVRAE3SITC2ZLGCPMFDN3WVYZBWF/",
                  },
                  {
                     name: "RHSA-2019:2822",
                     refsource: "REDHAT",
                     url: "https://access.redhat.com/errata/RHSA-2019:2822",
                  },
                  {
                     name: "RHSA-2019:2836",
                     refsource: "REDHAT",
                     url: "https://access.redhat.com/errata/RHSA-2019:2836",
                  },
                  {
                     name: "RHSA-2019:2885",
                     refsource: "REDHAT",
                     url: "https://access.redhat.com/errata/RHSA-2019:2885",
                  },
                  {
                     name: "openSUSE-SU-2019:2281",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html",
                  },
                  {
                     name: "openSUSE-SU-2019:2278",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2019-11500",
      datePublished: "2019-08-29T13:51:46",
      dateReserved: "2019-04-24T00:00:00",
      dateUpdated: "2024-08-04T22:55:40.604Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2011-1929
Vulnerability from cvelistv5
Published
2011-05-24 23:00
Modified
2024-08-06 22:46
Severity ?
Summary
lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle '\0' characters in header names, which allows remote attackers to cause a denial of service (daemon crash or mailbox corruption) via a crafted e-mail message.
References
http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061384.htmlvendor-advisory, x_refsource_FEDORA
http://hg.dovecot.org/dovecot-1.1/rev/3698dfe0f21cx_refsource_CONFIRM
http://secunia.com/advisories/44771third-party-advisory, x_refsource_SECUNIA
http://dovecot.org/pipermail/dovecot/2011-May/059086.htmlmailing-list, x_refsource_MLIST
http://www.debian.org/security/2011/dsa-2252vendor-advisory, x_refsource_DEBIAN
http://www.mandriva.com/security/advisories?name=MDVSA-2011:101vendor-advisory, x_refsource_MANDRIVA
http://www.dovecot.org/doc/NEWS-2.0x_refsource_CONFIRM
https://bugzilla.redhat.com/show_bug.cgi?id=706286x_refsource_CONFIRM
http://dovecot.org/pipermail/dovecot/2011-May/059085.htmlmailing-list, x_refsource_MLIST
http://www.redhat.com/support/errata/RHSA-2011-1187.htmlvendor-advisory, x_refsource_REDHAT
http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060825.htmlvendor-advisory, x_refsource_FEDORA
http://osvdb.org/72495vdb-entry, x_refsource_OSVDB
https://exchange.xforce.ibmcloud.com/vulnerabilities/67589vdb-entry, x_refsource_XF
https://hermes.opensuse.org/messages/8581790vendor-advisory, x_refsource_SUSE
http://www.securityfocus.com/bid/47930vdb-entry, x_refsource_BID
http://openwall.com/lists/oss-security/2011/05/19/6mailing-list, x_refsource_MLIST
http://secunia.com/advisories/44756third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/44827third-party-advisory, x_refsource_SECUNIA
http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060815.htmlvendor-advisory, x_refsource_FEDORA
http://secunia.com/advisories/44683third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/44712third-party-advisory, x_refsource_SECUNIA
http://www.ubuntu.com/usn/USN-1143-1vendor-advisory, x_refsource_UBUNTU
http://openwall.com/lists/oss-security/2011/05/19/3mailing-list, x_refsource_MLIST
http://www.dovecot.org/doc/NEWS-1.2x_refsource_CONFIRM
http://openwall.com/lists/oss-security/2011/05/18/4mailing-list, x_refsource_MLIST
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-06T22:46:00.589Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "FEDORA-2011-7612",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061384.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://hg.dovecot.org/dovecot-1.1/rev/3698dfe0f21c",
               },
               {
                  name: "44771",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/44771",
               },
               {
                  name: "[dovecot] 20110511 v1.2.17 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://dovecot.org/pipermail/dovecot/2011-May/059086.html",
               },
               {
                  name: "DSA-2252",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "http://www.debian.org/security/2011/dsa-2252",
               },
               {
                  name: "MDVSA-2011:101",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_MANDRIVA",
                     "x_transferred",
                  ],
                  url: "http://www.mandriva.com/security/advisories?name=MDVSA-2011:101",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/doc/NEWS-2.0",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://bugzilla.redhat.com/show_bug.cgi?id=706286",
               },
               {
                  name: "[dovecot] 20110511 v2.0.13 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://dovecot.org/pipermail/dovecot/2011-May/059085.html",
               },
               {
                  name: "RHSA-2011:1187",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://www.redhat.com/support/errata/RHSA-2011-1187.html",
               },
               {
                  name: "FEDORA-2011-7268",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060825.html",
               },
               {
                  name: "72495",
                  tags: [
                     "vdb-entry",
                     "x_refsource_OSVDB",
                     "x_transferred",
                  ],
                  url: "http://osvdb.org/72495",
               },
               {
                  name: "dovecot-header-name-dos(67589)",
                  tags: [
                     "vdb-entry",
                     "x_refsource_XF",
                     "x_transferred",
                  ],
                  url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/67589",
               },
               {
                  name: "openSUSE-SU-2011:0540",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "https://hermes.opensuse.org/messages/8581790",
               },
               {
                  name: "47930",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/47930",
               },
               {
                  name: "[oss-security] 20110519 Re: Dovecot releases",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://openwall.com/lists/oss-security/2011/05/19/6",
               },
               {
                  name: "44756",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/44756",
               },
               {
                  name: "44827",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/44827",
               },
               {
                  name: "FEDORA-2011-7258",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060815.html",
               },
               {
                  name: "44683",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/44683",
               },
               {
                  name: "44712",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/44712",
               },
               {
                  name: "USN-1143-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "http://www.ubuntu.com/usn/USN-1143-1",
               },
               {
                  name: "[oss-security] 20110519 Re: Dovecot releases",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://openwall.com/lists/oss-security/2011/05/19/3",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/doc/NEWS-1.2",
               },
               {
                  name: "[oss-security] 20110518 Dovecot releases",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://openwall.com/lists/oss-security/2011/05/18/4",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2011-05-11T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle '\\0' characters in header names, which allows remote attackers to cause a denial of service (daemon crash or mailbox corruption) via a crafted e-mail message.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2017-08-16T14:57:01",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               name: "FEDORA-2011-7612",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061384.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://hg.dovecot.org/dovecot-1.1/rev/3698dfe0f21c",
            },
            {
               name: "44771",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/44771",
            },
            {
               name: "[dovecot] 20110511 v1.2.17 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://dovecot.org/pipermail/dovecot/2011-May/059086.html",
            },
            {
               name: "DSA-2252",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "http://www.debian.org/security/2011/dsa-2252",
            },
            {
               name: "MDVSA-2011:101",
               tags: [
                  "vendor-advisory",
                  "x_refsource_MANDRIVA",
               ],
               url: "http://www.mandriva.com/security/advisories?name=MDVSA-2011:101",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://www.dovecot.org/doc/NEWS-2.0",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=706286",
            },
            {
               name: "[dovecot] 20110511 v2.0.13 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://dovecot.org/pipermail/dovecot/2011-May/059085.html",
            },
            {
               name: "RHSA-2011:1187",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://www.redhat.com/support/errata/RHSA-2011-1187.html",
            },
            {
               name: "FEDORA-2011-7268",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060825.html",
            },
            {
               name: "72495",
               tags: [
                  "vdb-entry",
                  "x_refsource_OSVDB",
               ],
               url: "http://osvdb.org/72495",
            },
            {
               name: "dovecot-header-name-dos(67589)",
               tags: [
                  "vdb-entry",
                  "x_refsource_XF",
               ],
               url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/67589",
            },
            {
               name: "openSUSE-SU-2011:0540",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "https://hermes.opensuse.org/messages/8581790",
            },
            {
               name: "47930",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/47930",
            },
            {
               name: "[oss-security] 20110519 Re: Dovecot releases",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://openwall.com/lists/oss-security/2011/05/19/6",
            },
            {
               name: "44756",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/44756",
            },
            {
               name: "44827",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/44827",
            },
            {
               name: "FEDORA-2011-7258",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060815.html",
            },
            {
               name: "44683",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/44683",
            },
            {
               name: "44712",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/44712",
            },
            {
               name: "USN-1143-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "http://www.ubuntu.com/usn/USN-1143-1",
            },
            {
               name: "[oss-security] 20110519 Re: Dovecot releases",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://openwall.com/lists/oss-security/2011/05/19/3",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "http://www.dovecot.org/doc/NEWS-1.2",
            },
            {
               name: "[oss-security] 20110518 Dovecot releases",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://openwall.com/lists/oss-security/2011/05/18/4",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2011-1929",
      datePublished: "2011-05-24T23:00:00",
      dateReserved: "2011-05-09T00:00:00",
      dateUpdated: "2024-08-06T22:46:00.589Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2019-10691
Vulnerability from cvelistv5
Published
2019-04-24 16:49
Modified
2024-08-04 22:32
Severity ?
Summary
The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username.
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T22:32:01.932Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "[oss-security] 20190418 CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes  when encountering invalid UTF-8 characters.",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2019/04/18/3",
               },
               {
                  name: "[dovecot-news] 20190418 CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters.",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://dovecot.org/list/dovecot-news/2019-April/000406.html",
               },
               {
                  name: "openSUSE-SU-2019:1312",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00000.html",
               },
               {
                  name: "FEDORA-2019-1b61a528dd",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/",
               },
               {
                  name: "GLSA-201908-29",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/201908-29",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2019-04-18T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2019-08-31T22:06:06",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               name: "[oss-security] 20190418 CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes  when encountering invalid UTF-8 characters.",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.openwall.com/lists/oss-security/2019/04/18/3",
            },
            {
               name: "[dovecot-news] 20190418 CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters.",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://dovecot.org/list/dovecot-news/2019-April/000406.html",
            },
            {
               name: "openSUSE-SU-2019:1312",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00000.html",
            },
            {
               name: "FEDORA-2019-1b61a528dd",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/",
            },
            {
               name: "GLSA-201908-29",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "https://security.gentoo.org/glsa/201908-29",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2019-10691",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "[oss-security] 20190418 CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes  when encountering invalid UTF-8 characters.",
                     refsource: "MLIST",
                     url: "http://www.openwall.com/lists/oss-security/2019/04/18/3",
                  },
                  {
                     name: "[dovecot-news] 20190418 CVE-2019-10691: JSON encoder in Dovecot 2.3 incorrecty assert-crashes when encountering invalid UTF-8 characters.",
                     refsource: "MLIST",
                     url: "https://dovecot.org/list/dovecot-news/2019-April/000406.html",
                  },
                  {
                     name: "openSUSE-SU-2019:1312",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00000.html",
                  },
                  {
                     name: "FEDORA-2019-1b61a528dd",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/",
                  },
                  {
                     name: "GLSA-201908-29",
                     refsource: "GENTOO",
                     url: "https://security.gentoo.org/glsa/201908-29",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2019-10691",
      datePublished: "2019-04-24T16:49:37",
      dateReserved: "2019-04-02T00:00:00",
      dateUpdated: "2024-08-04T22:32:01.932Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2010-3780
Vulnerability from cvelistv5
Published
2010-10-06 20:00
Modified
2024-08-07 03:18
Severity ?
Summary
Dovecot 1.2.x before 1.2.15 allows remote authenticated users to cause a denial of service (master process outage) by simultaneously disconnecting many (1) IMAP or (2) POP3 sessions.
References
http://www.ubuntu.com/usn/USN-1059-1vendor-advisory, x_refsource_UBUNTU
http://www.mandriva.com/security/advisories?name=MDVSA-2010:217vendor-advisory, x_refsource_MANDRIVA
http://secunia.com/advisories/43220third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2011/0301vdb-entry, x_refsource_VUPEN
http://www.dovecot.org/list/dovecot/2010-October/053450.htmlmailing-list, x_refsource_MLIST
http://www.redhat.com/support/errata/RHSA-2011-0600.htmlvendor-advisory, x_refsource_REDHAT
http://www.vupen.com/english/advisories/2010/2840vdb-entry, x_refsource_VUPEN
Impacted products
Vendor Product Version
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T03:18:53.196Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "USN-1059-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "http://www.ubuntu.com/usn/USN-1059-1",
               },
               {
                  name: "MDVSA-2010:217",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_MANDRIVA",
                     "x_transferred",
                  ],
                  url: "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217",
               },
               {
                  name: "43220",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/43220",
               },
               {
                  name: "ADV-2011-0301",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2011/0301",
               },
               {
                  name: "[dovecot] 20101002 v1.2.15 released",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "http://www.dovecot.org/list/dovecot/2010-October/053450.html",
               },
               {
                  name: "RHSA-2011:0600",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_REDHAT",
                     "x_transferred",
                  ],
                  url: "http://www.redhat.com/support/errata/RHSA-2011-0600.html",
               },
               {
                  name: "ADV-2010-2840",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2010/2840",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2010-10-02T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "Dovecot 1.2.x before 1.2.15 allows remote authenticated users to cause a denial of service (master process outage) by simultaneously disconnecting many (1) IMAP or (2) POP3 sessions.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2010-11-19T10:00:00",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               name: "USN-1059-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "http://www.ubuntu.com/usn/USN-1059-1",
            },
            {
               name: "MDVSA-2010:217",
               tags: [
                  "vendor-advisory",
                  "x_refsource_MANDRIVA",
               ],
               url: "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217",
            },
            {
               name: "43220",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/43220",
            },
            {
               name: "ADV-2011-0301",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2011/0301",
            },
            {
               name: "[dovecot] 20101002 v1.2.15 released",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "http://www.dovecot.org/list/dovecot/2010-October/053450.html",
            },
            {
               name: "RHSA-2011:0600",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "http://www.redhat.com/support/errata/RHSA-2011-0600.html",
            },
            {
               name: "ADV-2010-2840",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2010/2840",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2010-3780",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Dovecot 1.2.x before 1.2.15 allows remote authenticated users to cause a denial of service (master process outage) by simultaneously disconnecting many (1) IMAP or (2) POP3 sessions.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "USN-1059-1",
                     refsource: "UBUNTU",
                     url: "http://www.ubuntu.com/usn/USN-1059-1",
                  },
                  {
                     name: "MDVSA-2010:217",
                     refsource: "MANDRIVA",
                     url: "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217",
                  },
                  {
                     name: "43220",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/43220",
                  },
                  {
                     name: "ADV-2011-0301",
                     refsource: "VUPEN",
                     url: "http://www.vupen.com/english/advisories/2011/0301",
                  },
                  {
                     name: "[dovecot] 20101002 v1.2.15 released",
                     refsource: "MLIST",
                     url: "http://www.dovecot.org/list/dovecot/2010-October/053450.html",
                  },
                  {
                     name: "RHSA-2011:0600",
                     refsource: "REDHAT",
                     url: "http://www.redhat.com/support/errata/RHSA-2011-0600.html",
                  },
                  {
                     name: "ADV-2010-2840",
                     refsource: "VUPEN",
                     url: "http://www.vupen.com/english/advisories/2010/2840",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2010-3780",
      datePublished: "2010-10-06T20:00:00",
      dateReserved: "2010-10-06T00:00:00",
      dateUpdated: "2024-08-07T03:18:53.196Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

var-201003-0202
Vulnerability from variot

Dovecot in Apple Mac OS X 10.6 before 10.6.3, when Kerberos is enabled, does not properly enforce the service access control list (SACL) for sending and receiving e-mail, which allows remote authenticated users to bypass intended access restrictions via unspecified vectors. Dovecot is prone to a security-bypass vulnerability. An authenticated attacker may perform unauthorized email actions. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Mac OS X is the operating system used by the Apple family of machines. Permissions and access control vulnerabilities exist in Dovecot for Apple Mac OS

Show details on source website


{
   "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
      affected_products: {
         "@id": "https://www.variotdbs.pl/ref/affected_products",
      },
      configurations: {
         "@id": "https://www.variotdbs.pl/ref/configurations",
      },
      credits: {
         "@id": "https://www.variotdbs.pl/ref/credits",
      },
      cvss: {
         "@id": "https://www.variotdbs.pl/ref/cvss/",
      },
      description: {
         "@id": "https://www.variotdbs.pl/ref/description/",
      },
      exploit_availability: {
         "@id": "https://www.variotdbs.pl/ref/exploit_availability/",
      },
      external_ids: {
         "@id": "https://www.variotdbs.pl/ref/external_ids/",
      },
      iot: {
         "@id": "https://www.variotdbs.pl/ref/iot/",
      },
      iot_taxonomy: {
         "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/",
      },
      patch: {
         "@id": "https://www.variotdbs.pl/ref/patch/",
      },
      problemtype_data: {
         "@id": "https://www.variotdbs.pl/ref/problemtype_data/",
      },
      references: {
         "@id": "https://www.variotdbs.pl/ref/references/",
      },
      sources: {
         "@id": "https://www.variotdbs.pl/ref/sources/",
      },
      sources_release_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_release_date/",
      },
      sources_update_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_update_date/",
      },
      threat_type: {
         "@id": "https://www.variotdbs.pl/ref/threat_type/",
      },
      title: {
         "@id": "https://www.variotdbs.pl/ref/title/",
      },
      type: {
         "@id": "https://www.variotdbs.pl/ref/type/",
      },
   },
   "@id": "https://www.variotdbs.pl/vuln/VAR-201003-0202",
   affected_products: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            model: "mac os x",
            scope: "eq",
            trust: 1.6,
            vendor: "apple",
            version: "10.6.2",
         },
         {
            model: "mac os x server",
            scope: "eq",
            trust: 1.6,
            vendor: "apple",
            version: "10.6.2",
         },
         {
            model: "mac os x",
            scope: "eq",
            trust: 1.6,
            vendor: "apple",
            version: "10.6.1",
         },
         {
            model: "mac os x server",
            scope: "eq",
            trust: 1.6,
            vendor: "apple",
            version: "10.6.1",
         },
         {
            model: "mac os x",
            scope: "eq",
            trust: 1.6,
            vendor: "apple",
            version: "10.6.0",
         },
         {
            model: "mac os x server",
            scope: "eq",
            trust: 1.6,
            vendor: "apple",
            version: "10.6.0",
         },
         {
            model: "mac os x",
            scope: "eq",
            trust: 0.8,
            vendor: "apple",
            version: "v10.6 to  v10.6.2",
         },
         {
            model: "mac os x server",
            scope: "eq",
            trust: 0.8,
            vendor: "apple",
            version: "v10.6 to  v10.6.2",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.2.8",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.2.7",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.1.6",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.1.5",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.1.4",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.0.15",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.0.13",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.0.12",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.0.11",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.0.10",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.0.9",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.0.8",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.0.7",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.0.6",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.0.5",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.0.4",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.0.3",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.2",
         },
         {
            model: "1.1rc3",
            scope: null,
            trust: 0.3,
            vendor: "dovecot",
            version: null,
         },
         {
            model: "1.1rc2",
            scope: null,
            trust: 0.3,
            vendor: "dovecot",
            version: null,
         },
         {
            model: "1.0.rc9",
            scope: null,
            trust: 0.3,
            vendor: "dovecot",
            version: null,
         },
         {
            model: "1.0.rc8",
            scope: null,
            trust: 0.3,
            vendor: "dovecot",
            version: null,
         },
         {
            model: "1.0.rc7",
            scope: null,
            trust: 0.3,
            vendor: "dovecot",
            version: null,
         },
         {
            model: "1.0.rc6",
            scope: null,
            trust: 0.3,
            vendor: "dovecot",
            version: null,
         },
         {
            model: "1.0.rc5",
            scope: null,
            trust: 0.3,
            vendor: "dovecot",
            version: null,
         },
         {
            model: "1.0.rc4",
            scope: null,
            trust: 0.3,
            vendor: "dovecot",
            version: null,
         },
         {
            model: "1.0.rc3",
            scope: null,
            trust: 0.3,
            vendor: "dovecot",
            version: null,
         },
         {
            model: "1.0.rc2",
            scope: null,
            trust: 0.3,
            vendor: "dovecot",
            version: null,
         },
         {
            model: "1.0.rc15",
            scope: null,
            trust: 0.3,
            vendor: "dovecot",
            version: null,
         },
         {
            model: "1.0.rc14",
            scope: null,
            trust: 0.3,
            vendor: "dovecot",
            version: null,
         },
         {
            model: "1.0.rc13",
            scope: null,
            trust: 0.3,
            vendor: "dovecot",
            version: null,
         },
         {
            model: "1.0.rc12",
            scope: null,
            trust: 0.3,
            vendor: "dovecot",
            version: null,
         },
         {
            model: "1.0.rc11",
            scope: null,
            trust: 0.3,
            vendor: "dovecot",
            version: null,
         },
         {
            model: "1.0.rc10",
            scope: null,
            trust: 0.3,
            vendor: "dovecot",
            version: null,
         },
         {
            model: "1.0.beta3",
            scope: null,
            trust: 0.3,
            vendor: "dovecot",
            version: null,
         },
         {
            model: "1.0.beta2",
            scope: null,
            trust: 0.3,
            vendor: "dovecot",
            version: null,
         },
         {
            model: "rc29",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.0",
         },
         {
            model: "rc1",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.0",
         },
         {
            model: "beta8",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.0",
         },
         {
            model: "beta7",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.0",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.0",
         },
         {
            model: "mac os server",
            scope: "eq",
            trust: 0.3,
            vendor: "apple",
            version: "x10.6.2",
         },
         {
            model: "mac os server",
            scope: "eq",
            trust: 0.3,
            vendor: "apple",
            version: "x10.6.1",
         },
         {
            model: "mac os server",
            scope: "eq",
            trust: 0.3,
            vendor: "apple",
            version: "x10.6",
         },
         {
            model: "mac os",
            scope: "eq",
            trust: 0.3,
            vendor: "apple",
            version: "x10.6.2",
         },
         {
            model: "mac os",
            scope: "eq",
            trust: 0.3,
            vendor: "apple",
            version: "x10.6.1",
         },
         {
            model: "mac os",
            scope: "eq",
            trust: 0.3,
            vendor: "apple",
            version: "x10.6",
         },
         {
            model: "mac os server",
            scope: "ne",
            trust: 0.3,
            vendor: "apple",
            version: "x10.6.3",
         },
         {
            model: "mac os",
            scope: "ne",
            trust: 0.3,
            vendor: "apple",
            version: "x10.6.3",
         },
      ],
      sources: [
         {
            db: "BID",
            id: "39258",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2010-001253",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201003-491",
         },
         {
            db: "NVD",
            id: "CVE-2010-0535",
         },
      ],
   },
   configurations: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/configurations#",
         children: {
            "@container": "@list",
         },
         cpe_match: {
            "@container": "@list",
         },
         data: {
            "@container": "@list",
         },
         nodes: {
            "@container": "@list",
         },
      },
      data: [
         {
            CVE_data_version: "4.0",
            nodes: [
               {
                  cpe_match: [
                     {
                        cpe22Uri: "cpe:/o:apple:mac_os_x",
                        vulnerable: true,
                     },
                     {
                        cpe22Uri: "cpe:/o:apple:mac_os_x_server",
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2010-001253",
         },
      ],
   },
   credits: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/credits#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "Michael KisorDamian Put※ pucik@cc-team.org",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-201003-491",
         },
      ],
      trust: 0.6,
   },
   cve: "CVE-2010-0535",
   cvss: {
      "@context": {
         cvssV2: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2",
         },
         cvssV3: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/",
         },
         severity: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/cvss/severity#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            cvssV2: [
               {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "SINGLE",
                  author: "nvd@nist.gov",
                  availabilityImpact: "PARTIAL",
                  baseScore: 6.5,
                  confidentialityImpact: "PARTIAL",
                  exploitabilityScore: 8,
                  id: "CVE-2010-0535",
                  impactScore: 6.4,
                  integrityImpact: "PARTIAL",
                  severity: "MEDIUM",
                  trust: 1.8,
                  vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P",
                  version: "2.0",
               },
               {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "SINGLE",
                  author: "VULHUB",
                  availabilityImpact: "PARTIAL",
                  baseScore: 6.5,
                  confidentialityImpact: "PARTIAL",
                  exploitabilityScore: 8,
                  id: "VHN-43140",
                  impactScore: 6.4,
                  integrityImpact: "PARTIAL",
                  severity: "MEDIUM",
                  trust: 0.1,
                  vectorString: "AV:N/AC:L/AU:S/C:P/I:P/A:P",
                  version: "2.0",
               },
            ],
            cvssV3: [],
            severity: [
               {
                  author: "nvd@nist.gov",
                  id: "CVE-2010-0535",
                  trust: 1,
                  value: "MEDIUM",
               },
               {
                  author: "NVD",
                  id: "CVE-2010-0535",
                  trust: 0.8,
                  value: "Medium",
               },
               {
                  author: "CNNVD",
                  id: "CNNVD-201003-491",
                  trust: 0.6,
                  value: "MEDIUM",
               },
               {
                  author: "VULHUB",
                  id: "VHN-43140",
                  trust: 0.1,
                  value: "MEDIUM",
               },
            ],
         },
      ],
      sources: [
         {
            db: "VULHUB",
            id: "VHN-43140",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2010-001253",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201003-491",
         },
         {
            db: "NVD",
            id: "CVE-2010-0535",
         },
      ],
   },
   description: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/description#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "Dovecot in Apple Mac OS X 10.6 before 10.6.3, when Kerberos is enabled, does not properly enforce the service access control list (SACL) for sending and receiving e-mail, which allows remote authenticated users to bypass intended access restrictions via unspecified vectors. Dovecot is prone to a security-bypass vulnerability. \nAn authenticated attacker may perform unauthorized email actions. \nNOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Mac OS X is the operating system used by the Apple family of machines. Permissions and access control vulnerabilities exist in Dovecot for Apple Mac OS",
      sources: [
         {
            db: "NVD",
            id: "CVE-2010-0535",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2010-001253",
         },
         {
            db: "BID",
            id: "39258",
         },
         {
            db: "VULHUB",
            id: "VHN-43140",
         },
      ],
      trust: 1.98,
   },
   external_ids: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            db: "NVD",
            id: "CVE-2010-0535",
            trust: 2.8,
         },
         {
            db: "JVNDB",
            id: "JVNDB-2010-001253",
            trust: 0.8,
         },
         {
            db: "CNNVD",
            id: "CNNVD-201003-491",
            trust: 0.7,
         },
         {
            db: "NSFOCUS",
            id: "14715",
            trust: 0.6,
         },
         {
            db: "APPLE",
            id: "APPLE-SA-2010-03-29-1",
            trust: 0.6,
         },
         {
            db: "BID",
            id: "39258",
            trust: 0.4,
         },
         {
            db: "VULHUB",
            id: "VHN-43140",
            trust: 0.1,
         },
      ],
      sources: [
         {
            db: "VULHUB",
            id: "VHN-43140",
         },
         {
            db: "BID",
            id: "39258",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2010-001253",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201003-491",
         },
         {
            db: "NVD",
            id: "CVE-2010-0535",
         },
      ],
   },
   id: "VAR-201003-0202",
   iot: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/iot#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: true,
      sources: [
         {
            db: "VULHUB",
            id: "VHN-43140",
         },
      ],
      trust: 0.01,
   },
   last_update_date: "2024-11-23T19:59:16.542000Z",
   patch: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/patch#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            title: "HT4077",
            trust: 0.8,
            url: "http://support.apple.com/kb/HT4077",
         },
         {
            title: "HT4077",
            trust: 0.8,
            url: "http://support.apple.com/kb/HT4077?viewlocale=ja_JP",
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2010-001253",
         },
      ],
   },
   problemtype_data: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            problemtype: "CWE-264",
            trust: 1.9,
         },
      ],
      sources: [
         {
            db: "VULHUB",
            id: "VHN-43140",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2010-001253",
         },
         {
            db: "NVD",
            id: "CVE-2010-0535",
         },
      ],
   },
   references: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/references#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            trust: 1.7,
            url: "http://lists.apple.com/archives/security-announce/2010//mar/msg00001.html",
         },
         {
            trust: 1.7,
            url: "http://support.apple.com/kb/ht4077",
         },
         {
            trust: 0.8,
            url: "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-0535",
         },
         {
            trust: 0.8,
            url: "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-0535",
         },
         {
            trust: 0.6,
            url: "http://www.nsfocus.net/vulndb/14715",
         },
         {
            trust: 0.3,
            url: "http://www.dovecot.org/",
         },
      ],
      sources: [
         {
            db: "VULHUB",
            id: "VHN-43140",
         },
         {
            db: "BID",
            id: "39258",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2010-001253",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201003-491",
         },
         {
            db: "NVD",
            id: "CVE-2010-0535",
         },
      ],
   },
   sources: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            db: "VULHUB",
            id: "VHN-43140",
         },
         {
            db: "BID",
            id: "39258",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2010-001253",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201003-491",
         },
         {
            db: "NVD",
            id: "CVE-2010-0535",
         },
      ],
   },
   sources_release_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2010-03-30T00:00:00",
            db: "VULHUB",
            id: "VHN-43140",
         },
         {
            date: "2010-03-29T00:00:00",
            db: "BID",
            id: "39258",
         },
         {
            date: "2010-04-14T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2010-001253",
         },
         {
            date: "2010-03-30T00:00:00",
            db: "CNNVD",
            id: "CNNVD-201003-491",
         },
         {
            date: "2010-03-30T18:30:01.407000",
            db: "NVD",
            id: "CVE-2010-0535",
         },
      ],
   },
   sources_update_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2010-06-21T00:00:00",
            db: "VULHUB",
            id: "VHN-43140",
         },
         {
            date: "2010-03-29T00:00:00",
            db: "BID",
            id: "39258",
         },
         {
            date: "2010-04-14T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2010-001253",
         },
         {
            date: "2010-04-01T00:00:00",
            db: "CNNVD",
            id: "CNNVD-201003-491",
         },
         {
            date: "2024-11-21T01:12:23.907000",
            db: "NVD",
            id: "CVE-2010-0535",
         },
      ],
   },
   threat_type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "remote",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-201003-491",
         },
      ],
      trust: 0.6,
   },
   title: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/title#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "Apple Mac OS X of  Dovecot Vulnerable to access restrictions",
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2010-001253",
         },
      ],
      trust: 0.8,
   },
   type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "permissions and access control",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-201003-491",
         },
      ],
      trust: 0.6,
   },
}

var-201105-0290
Vulnerability from variot

script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script. Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems. The script-login in version 2.0.x prior to Dovecot 2.0.13 did not follow the chroot configuration. Dovecot is prone to multiple security-bypass vulnerabilities because it fails to properly implement certain configuration settings. Authenticated attackers can exploit these issues to bypass certain security restrictions and perform unauthorized actions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

===================================================================== Red Hat Security Advisory

Synopsis: Low: dovecot security and bug fix update Advisory ID: RHSA-2013:0520-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0520.html Issue date: 2013-02-21 CVE Names: CVE-2011-2166 CVE-2011-2167 CVE-2011-4318 =====================================================================

  1. Summary:

Updated dovecot packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

  1. Relevant releases/architectures:

Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

  1. It supports mail in either of maildir or mbox formats. The SQL drivers and authentication plug-ins are provided as sub-packages.

Two flaws were found in the way some settings were enforced by the script-login functionality of Dovecot. (CVE-2011-2166, CVE-2011-2167)

A flaw was found in the way Dovecot performed remote server identity verification, when it was configured to proxy IMAP and POP3 connections to remote hosts using TLS/SSL protocols. A remote attacker could use this flaw to conduct man-in-the-middle attacks using an X.509 certificate issued by a trusted Certificate Authority (for a different name). (CVE-2011-4318)

This update also fixes the following bug:

  • When a new user first accessed their IMAP inbox, Dovecot was, under some circumstances, unable to change the group ownership of the inbox directory in the user's Maildir location to match that of the user's mail spool (/var/mail/$USER). This correctly generated an "Internal error occurred" message. However, with a subsequent attempt to access the inbox, Dovecot saw that the directory already existed and proceeded with its operation, leaving the directory with incorrectly set permissions. This update corrects the underlying permissions setting error. When a new user now accesses their inbox for the first time, and it is not possible to set group ownership, Dovecot removes the created directory and generates an error message instead of keeping the directory with incorrect group ownership. (BZ#697620)

Users of dovecot are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the dovecot service will be restarted automatically.

  1. Solution:

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258

  1. Bugs fixed (http://bugzilla.redhat.com/):

709095 - CVE-2011-2166 dovecot: authenticated remote bypass of intended access restrictions 709097 - CVE-2011-2167 dovecot: directory traversal due to not obeying chroot directive 754980 - CVE-2011-4318 dovecot: proxy destination host name not checked against SSL certificate name

  1. Package List:

Red Hat Enterprise Linux Server (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm

i386: dovecot-2.0.9-5.el6.i686.rpm dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-mysql-2.0.9-5.el6.i686.rpm dovecot-pgsql-2.0.9-5.el6.i686.rpm dovecot-pigeonhole-2.0.9-5.el6.i686.rpm

ppc64: dovecot-2.0.9-5.el6.ppc.rpm dovecot-2.0.9-5.el6.ppc64.rpm dovecot-debuginfo-2.0.9-5.el6.ppc.rpm dovecot-debuginfo-2.0.9-5.el6.ppc64.rpm dovecot-mysql-2.0.9-5.el6.ppc64.rpm dovecot-pgsql-2.0.9-5.el6.ppc64.rpm dovecot-pigeonhole-2.0.9-5.el6.ppc64.rpm

s390x: dovecot-2.0.9-5.el6.s390.rpm dovecot-2.0.9-5.el6.s390x.rpm dovecot-debuginfo-2.0.9-5.el6.s390.rpm dovecot-debuginfo-2.0.9-5.el6.s390x.rpm dovecot-mysql-2.0.9-5.el6.s390x.rpm dovecot-pgsql-2.0.9-5.el6.s390x.rpm dovecot-pigeonhole-2.0.9-5.el6.s390x.rpm

x86_64: dovecot-2.0.9-5.el6.i686.rpm dovecot-2.0.9-5.el6.x86_64.rpm dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm dovecot-mysql-2.0.9-5.el6.x86_64.rpm dovecot-pgsql-2.0.9-5.el6.x86_64.rpm dovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm

i386: dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-devel-2.0.9-5.el6.i686.rpm

ppc64: dovecot-debuginfo-2.0.9-5.el6.ppc64.rpm dovecot-devel-2.0.9-5.el6.ppc64.rpm

s390x: dovecot-debuginfo-2.0.9-5.el6.s390x.rpm dovecot-devel-2.0.9-5.el6.s390x.rpm

x86_64: dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm dovecot-devel-2.0.9-5.el6.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm

i386: dovecot-2.0.9-5.el6.i686.rpm dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-mysql-2.0.9-5.el6.i686.rpm dovecot-pgsql-2.0.9-5.el6.i686.rpm dovecot-pigeonhole-2.0.9-5.el6.i686.rpm

x86_64: dovecot-2.0.9-5.el6.i686.rpm dovecot-2.0.9-5.el6.x86_64.rpm dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm dovecot-mysql-2.0.9-5.el6.x86_64.rpm dovecot-pgsql-2.0.9-5.el6.x86_64.rpm dovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm

i386: dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-devel-2.0.9-5.el6.i686.rpm

x86_64: dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm dovecot-devel-2.0.9-5.el6.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package

  1. References:

https://www.redhat.com/security/data/cve/CVE-2011-2166.html https://www.redhat.com/security/data/cve/CVE-2011-2167.html https://www.redhat.com/security/data/cve/CVE-2011-4318.html https://access.redhat.com/security/updates/classification/#low

  1. Contact:

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFRJcMBXlSAg2UNWIIRAsLkAKCVzudrg6y2jNbVu8TARQH65FPliACgpPzA 3cvEfHEUoK/fdUBZNDEuZqU= =9rAE -----END PGP SIGNATURE-----

-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-04


                                        http://security.gentoo.org/

Severity: High Title: Dovecot: Multiple vulnerabilities Date: October 10, 2011 Bugs: #286844, #293954, #314533, #368653 ID: 201110-04


Synopsis

Multiple vulnerabilities were found in Dovecot, the worst of which allowing for remote execution of arbitrary code. Please review the CVE identifiers referenced below for details.

Impact

A remote attacker could exploit these vulnerabilities to cause the remote execution of arbitrary code, or a Denial of Service condition, to conduct directory traversal attacks, corrupt data, or disclose information.

Workaround

There is no known workaround at this time.

Resolution

All Dovecot 1 users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/dovecot-1.2.17"

All Dovecot 2 users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.0.13"

NOTE: This is a legacy GLSA. Updates for all affected architectures are available since May 28, 2011. It is likely that your system is already no longer affected by this issue.

References

[ 1 ] CVE-2009-3235 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3235 [ 2 ] CVE-2009-3897 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897 [ 3 ] CVE-2010-0745 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0745 [ 4 ] CVE-2010-3304 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3304 [ 5 ] CVE-2010-3706 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3706 [ 6 ] CVE-2010-3707 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3707 [ 7 ] CVE-2010-3779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3779 [ 8 ] CVE-2010-3780 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3780 [ 9 ] CVE-2011-1929 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1929 [ 10 ] CVE-2011-2166 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2166 [ 11 ] CVE-2011-2167 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2167

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201110-04.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Show details on source website


{
   "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
      affected_products: {
         "@id": "https://www.variotdbs.pl/ref/affected_products",
      },
      configurations: {
         "@id": "https://www.variotdbs.pl/ref/configurations",
      },
      credits: {
         "@id": "https://www.variotdbs.pl/ref/credits",
      },
      cvss: {
         "@id": "https://www.variotdbs.pl/ref/cvss/",
      },
      description: {
         "@id": "https://www.variotdbs.pl/ref/description/",
      },
      exploit_availability: {
         "@id": "https://www.variotdbs.pl/ref/exploit_availability/",
      },
      external_ids: {
         "@id": "https://www.variotdbs.pl/ref/external_ids/",
      },
      iot: {
         "@id": "https://www.variotdbs.pl/ref/iot/",
      },
      iot_taxonomy: {
         "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/",
      },
      patch: {
         "@id": "https://www.variotdbs.pl/ref/patch/",
      },
      problemtype_data: {
         "@id": "https://www.variotdbs.pl/ref/problemtype_data/",
      },
      references: {
         "@id": "https://www.variotdbs.pl/ref/references/",
      },
      sources: {
         "@id": "https://www.variotdbs.pl/ref/sources/",
      },
      sources_release_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_release_date/",
      },
      sources_update_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_update_date/",
      },
      threat_type: {
         "@id": "https://www.variotdbs.pl/ref/threat_type/",
      },
      title: {
         "@id": "https://www.variotdbs.pl/ref/title/",
      },
      type: {
         "@id": "https://www.variotdbs.pl/ref/type/",
      },
   },
   "@id": "https://www.variotdbs.pl/vuln/VAR-201105-0290",
   affected_products: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.9,
            vendor: "dovecot",
            version: "2.0.12",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.9,
            vendor: "dovecot",
            version: "2.0.3",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.9,
            vendor: "dovecot",
            version: "2.0.5",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.9,
            vendor: "dovecot",
            version: "2.0.0",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.9,
            vendor: "dovecot",
            version: "2.0.1",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.9,
            vendor: "dovecot",
            version: "2.0.2",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.9,
            vendor: "dovecot",
            version: "2.0.4",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.6,
            vendor: "dovecot",
            version: "2.0.8",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.6,
            vendor: "dovecot",
            version: "2.0.7",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.6,
            vendor: "dovecot",
            version: "2.0.9",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1,
            vendor: "dovecot",
            version: "2.0.11",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1,
            vendor: "dovecot",
            version: "2.0.10",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1,
            vendor: "dovecot",
            version: "2.0.6",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.8,
            vendor: "timo sirainen",
            version: "2.0.13",
         },
         {
            model: "dovecot",
            scope: "lt",
            trust: 0.8,
            vendor: "timo sirainen",
            version: "2.0.x",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.6,
            vendor: "dovecot",
            version: "2.0.x",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "2.0",
         },
         {
            model: "enterprise linux",
            scope: "eq",
            trust: 0.3,
            vendor: "oracle",
            version: "6.2",
         },
         {
            model: "linux",
            scope: null,
            trust: 0.3,
            vendor: "gentoo",
            version: null,
         },
         {
            model: "enterprise linux",
            scope: "eq",
            trust: 0.3,
            vendor: "oracle",
            version: "6",
         },
         {
            model: "beta1",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "2.0",
         },
         {
            model: "dovecot",
            scope: "ne",
            trust: 0.3,
            vendor: "dovecot",
            version: "2.0.13",
         },
         {
            model: "centos",
            scope: "eq",
            trust: 0.3,
            vendor: "centos",
            version: "6",
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-2129",
         },
         {
            db: "BID",
            id: "48003",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-004654",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-252",
         },
         {
            db: "NVD",
            id: "CVE-2011-2167",
         },
      ],
   },
   configurations: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/configurations#",
         children: {
            "@container": "@list",
         },
         cpe_match: {
            "@container": "@list",
         },
         data: {
            "@container": "@list",
         },
         nodes: {
            "@container": "@list",
         },
      },
      data: [
         {
            CVE_data_version: "4.0",
            nodes: [
               {
                  cpe_match: [
                     {
                        cpe22Uri: "cpe:/a:dovecot:dovecot",
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2011-004654",
         },
      ],
   },
   credits: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/credits#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "Reported by the vendor.",
      sources: [
         {
            db: "BID",
            id: "48003",
         },
      ],
      trust: 0.3,
   },
   cve: "CVE-2011-2167",
   cvss: {
      "@context": {
         cvssV2: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2",
         },
         cvssV3: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/",
         },
         severity: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/cvss/severity#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            cvssV2: [
               {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "SINGLE",
                  author: "nvd@nist.gov",
                  availabilityImpact: "PARTIAL",
                  baseScore: 6.5,
                  confidentialityImpact: "PARTIAL",
                  exploitabilityScore: 8,
                  id: "CVE-2011-2167",
                  impactScore: 6.4,
                  integrityImpact: "PARTIAL",
                  severity: "MEDIUM",
                  trust: 1.8,
                  vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P",
                  version: "2.0",
               },
            ],
            cvssV3: [],
            severity: [
               {
                  author: "nvd@nist.gov",
                  id: "CVE-2011-2167",
                  trust: 1,
                  value: "MEDIUM",
               },
               {
                  author: "NVD",
                  id: "CVE-2011-2167",
                  trust: 0.8,
                  value: "Medium",
               },
               {
                  author: "CNNVD",
                  id: "CNNVD-201105-252",
                  trust: 0.6,
                  value: "MEDIUM",
               },
            ],
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2011-004654",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-252",
         },
         {
            db: "NVD",
            id: "CVE-2011-2167",
         },
      ],
   },
   description: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/description#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script. Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems. The script-login in version 2.0.x prior to Dovecot 2.0.13 did not follow the chroot configuration. Dovecot is prone to multiple security-bypass vulnerabilities because it fails to properly implement certain configuration settings. \nAuthenticated attackers can exploit these issues to bypass certain security restrictions and perform unauthorized actions. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n                   Red Hat Security Advisory\n\nSynopsis:          Low: dovecot security and bug fix update\nAdvisory ID:       RHSA-2013:0520-02\nProduct:           Red Hat Enterprise Linux\nAdvisory URL:      https://rhn.redhat.com/errata/RHSA-2013-0520.html\nIssue date:        2013-02-21\nCVE Names:         CVE-2011-2166 CVE-2011-2167 CVE-2011-4318 \n=====================================================================\n\n1. Summary:\n\nUpdated dovecot packages that fix three security issues and one bug are now\navailable for Red Hat Enterprise Linux 6. \n\nThe Red Hat Security Response Team has rated this update as having low\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 6) - i386, x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64\n\n3. It\nsupports mail in either of maildir or mbox formats. The SQL drivers and\nauthentication plug-ins are provided as sub-packages. \n\nTwo flaws were found in the way some settings were enforced by the\nscript-login functionality of Dovecot. (CVE-2011-2166,\nCVE-2011-2167)\n\nA flaw was found in the way Dovecot performed remote server identity\nverification, when it was configured to proxy IMAP and POP3 connections to\nremote hosts using TLS/SSL protocols. A remote attacker could use this flaw\nto conduct man-in-the-middle attacks using an X.509 certificate issued by\na trusted Certificate Authority (for a different name). (CVE-2011-4318)\n\nThis update also fixes the following bug:\n\n* When a new user first accessed their IMAP inbox, Dovecot was, under some\ncircumstances, unable to change the group ownership of the inbox directory\nin the user's Maildir location to match that of the user's mail spool\n(/var/mail/$USER). This correctly generated an \"Internal error occurred\"\nmessage. However, with a subsequent attempt to access the inbox, Dovecot\nsaw that the directory already existed and proceeded with its operation,\nleaving the directory with incorrectly set permissions. This update\ncorrects the underlying permissions setting error. When a new user now\naccesses their inbox for the first time, and it is not possible to set\ngroup ownership, Dovecot removes the created directory and generates an\nerror message instead of keeping the directory with incorrect group\nownership. (BZ#697620)\n\nUsers of dovecot are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, the dovecot service will be restarted automatically. \n\n4. Solution:\n\nBefore applying this update, make sure all previously-released errata\nrelevant to your system have been applied. \n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258\n\n5. Bugs fixed (http://bugzilla.redhat.com/):\n\n709095 - CVE-2011-2166 dovecot: authenticated remote bypass of intended access restrictions\n709097 - CVE-2011-2167 dovecot: directory traversal due to not obeying chroot directive\n754980 - CVE-2011-4318 dovecot: proxy destination host name not checked against SSL certificate name\n\n6. Package List:\n\nRed Hat Enterprise Linux Server (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm\n\ni386:\ndovecot-2.0.9-5.el6.i686.rpm\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-mysql-2.0.9-5.el6.i686.rpm\ndovecot-pgsql-2.0.9-5.el6.i686.rpm\ndovecot-pigeonhole-2.0.9-5.el6.i686.rpm\n\nppc64:\ndovecot-2.0.9-5.el6.ppc.rpm\ndovecot-2.0.9-5.el6.ppc64.rpm\ndovecot-debuginfo-2.0.9-5.el6.ppc.rpm\ndovecot-debuginfo-2.0.9-5.el6.ppc64.rpm\ndovecot-mysql-2.0.9-5.el6.ppc64.rpm\ndovecot-pgsql-2.0.9-5.el6.ppc64.rpm\ndovecot-pigeonhole-2.0.9-5.el6.ppc64.rpm\n\ns390x:\ndovecot-2.0.9-5.el6.s390.rpm\ndovecot-2.0.9-5.el6.s390x.rpm\ndovecot-debuginfo-2.0.9-5.el6.s390.rpm\ndovecot-debuginfo-2.0.9-5.el6.s390x.rpm\ndovecot-mysql-2.0.9-5.el6.s390x.rpm\ndovecot-pgsql-2.0.9-5.el6.s390x.rpm\ndovecot-pigeonhole-2.0.9-5.el6.s390x.rpm\n\nx86_64:\ndovecot-2.0.9-5.el6.i686.rpm\ndovecot-2.0.9-5.el6.x86_64.rpm\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-debuginfo-2.0.9-5.el6.x86_64.rpm\ndovecot-mysql-2.0.9-5.el6.x86_64.rpm\ndovecot-pgsql-2.0.9-5.el6.x86_64.rpm\ndovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm\n\ni386:\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-devel-2.0.9-5.el6.i686.rpm\n\nppc64:\ndovecot-debuginfo-2.0.9-5.el6.ppc64.rpm\ndovecot-devel-2.0.9-5.el6.ppc64.rpm\n\ns390x:\ndovecot-debuginfo-2.0.9-5.el6.s390x.rpm\ndovecot-devel-2.0.9-5.el6.s390x.rpm\n\nx86_64:\ndovecot-debuginfo-2.0.9-5.el6.x86_64.rpm\ndovecot-devel-2.0.9-5.el6.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm\n\ni386:\ndovecot-2.0.9-5.el6.i686.rpm\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-mysql-2.0.9-5.el6.i686.rpm\ndovecot-pgsql-2.0.9-5.el6.i686.rpm\ndovecot-pigeonhole-2.0.9-5.el6.i686.rpm\n\nx86_64:\ndovecot-2.0.9-5.el6.i686.rpm\ndovecot-2.0.9-5.el6.x86_64.rpm\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-debuginfo-2.0.9-5.el6.x86_64.rpm\ndovecot-mysql-2.0.9-5.el6.x86_64.rpm\ndovecot-pgsql-2.0.9-5.el6.x86_64.rpm\ndovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm\n\ni386:\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-devel-2.0.9-5.el6.i686.rpm\n\nx86_64:\ndovecot-debuginfo-2.0.9-5.el6.x86_64.rpm\ndovecot-devel-2.0.9-5.el6.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security.  Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/#package\n\n7. References:\n\nhttps://www.redhat.com/security/data/cve/CVE-2011-2166.html\nhttps://www.redhat.com/security/data/cve/CVE-2011-2167.html\nhttps://www.redhat.com/security/data/cve/CVE-2011-4318.html\nhttps://access.redhat.com/security/updates/classification/#low\n\n8. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>.  More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2013 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.4 (GNU/Linux)\n\niD8DBQFRJcMBXlSAg2UNWIIRAsLkAKCVzudrg6y2jNbVu8TARQH65FPliACgpPzA\n3cvEfHEUoK/fdUBZNDEuZqU=\n=9rAE\n-----END PGP SIGNATURE-----\n\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory                           GLSA 201110-04\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n                                            http://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: High\n    Title: Dovecot: Multiple vulnerabilities\n     Date: October 10, 2011\n     Bugs: #286844, #293954, #314533, #368653\n       ID: 201110-04\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities were found in Dovecot, the worst of which\nallowing for remote execution of arbitrary code. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nA remote attacker could exploit these vulnerabilities to cause the\nremote execution of arbitrary code, or a Denial of Service condition,\nto conduct directory traversal attacks, corrupt data, or disclose\ninformation. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll Dovecot 1 users should upgrade to the latest version:\n\n  # emerge --sync\n  # emerge --ask --oneshot --verbose \">=net-mail/dovecot-1.2.17\"\n\nAll Dovecot 2 users should upgrade to the latest version:\n\n  # emerge --sync\n  # emerge --ask --oneshot --verbose \">=net-mail/dovecot-2.0.13\"\n\nNOTE: This is a legacy GLSA. Updates for all affected architectures are\navailable since May 28, 2011. It is likely that your system is already\nno longer affected by this issue. \n\nReferences\n==========\n\n[  1 ] CVE-2009-3235\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3235\n[  2 ] CVE-2009-3897\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897\n[  3 ] CVE-2010-0745\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0745\n[  4 ] CVE-2010-3304\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3304\n[  5 ] CVE-2010-3706\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3706\n[  6 ] CVE-2010-3707\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3707\n[  7 ] CVE-2010-3779\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3779\n[  8 ] CVE-2010-3780\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3780\n[  9 ] CVE-2011-1929\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1929\n[ 10 ] CVE-2011-2166\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2166\n[ 11 ] CVE-2011-2167\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2167\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n http://security.gentoo.org/glsa/glsa-201110-04.xml\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users' machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2011 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n\n\n\n",
      sources: [
         {
            db: "NVD",
            id: "CVE-2011-2167",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-004654",
         },
         {
            db: "CNVD",
            id: "CNVD-2011-2129",
         },
         {
            db: "BID",
            id: "48003",
         },
         {
            db: "PACKETSTORM",
            id: "120446",
         },
         {
            db: "PACKETSTORM",
            id: "105652",
         },
      ],
      trust: 2.61,
   },
   external_ids: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            db: "NVD",
            id: "CVE-2011-2167",
            trust: 3.5,
         },
         {
            db: "OPENWALL",
            id: "OSS-SECURITY/2011/05/18/4",
            trust: 1.6,
         },
         {
            db: "BID",
            id: "48003",
            trust: 1.3,
         },
         {
            db: "SECUNIA",
            id: "52311",
            trust: 1,
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-004654",
            trust: 0.8,
         },
         {
            db: "CNVD",
            id: "CNVD-2011-2129",
            trust: 0.6,
         },
         {
            db: "MLIST",
            id: "[DOVECOT] 20110511 V2.0.13 RELEASED",
            trust: 0.6,
         },
         {
            db: "MLIST",
            id: "[OSS-SECURITY] 20110518 DOVECOT RELEASES",
            trust: 0.6,
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-252",
            trust: 0.6,
         },
         {
            db: "PACKETSTORM",
            id: "120446",
            trust: 0.1,
         },
         {
            db: "PACKETSTORM",
            id: "105652",
            trust: 0.1,
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-2129",
         },
         {
            db: "BID",
            id: "48003",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-004654",
         },
         {
            db: "PACKETSTORM",
            id: "120446",
         },
         {
            db: "PACKETSTORM",
            id: "105652",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-252",
         },
         {
            db: "NVD",
            id: "CVE-2011-2167",
         },
      ],
   },
   id: "VAR-201105-0290",
   iot: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/iot#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: true,
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-2129",
         },
      ],
      trust: 0.06,
   },
   iot_taxonomy: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            category: [
               "Network device",
            ],
            sub_category: null,
            trust: 0.6,
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-2129",
         },
      ],
   },
   last_update_date: "2024-11-23T20:58:23.129000Z",
   patch: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/patch#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            title: "NEWS-2.0",
            trust: 0.8,
            url: "http://www.dovecot.org/doc/NEWS-2.0",
         },
         {
            title: "Dovecot directory traversal vulnerability patch",
            trust: 0.6,
            url: "https://www.cnvd.org.cn/patchInfo/show/4009",
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-2129",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-004654",
         },
      ],
   },
   problemtype_data: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            problemtype: "CWE-22",
            trust: 1.8,
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2011-004654",
         },
         {
            db: "NVD",
            id: "CVE-2011-2167",
         },
      ],
   },
   references: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/references#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            trust: 2.5,
            url: "http://dovecot.org/pipermail/dovecot/2011-may/059085.html",
         },
         {
            trust: 1.6,
            url: "http://www.dovecot.org/doc/news-2.0",
         },
         {
            trust: 1.6,
            url: "http://openwall.com/lists/oss-security/2011/05/18/4",
         },
         {
            trust: 1.1,
            url: "http://rhn.redhat.com/errata/rhsa-2013-0520.html",
         },
         {
            trust: 1,
            url: "http://secunia.com/advisories/52311",
         },
         {
            trust: 1,
            url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/67674",
         },
         {
            trust: 1,
            url: "http://www.securityfocus.com/bid/48003",
         },
         {
            trust: 0.8,
            url: "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-2167",
         },
         {
            trust: 0.8,
            url: "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-2167",
         },
         {
            trust: 0.3,
            url: "http://www.dovecot.org/",
         },
         {
            trust: 0.1,
            url: "https://www.redhat.com/mailman/listinfo/rhsa-announce",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2011-2166",
         },
         {
            trust: 0.1,
            url: "https://access.redhat.com/security/updates/classification/#low",
         },
         {
            trust: 0.1,
            url: "https://www.redhat.com/security/data/cve/cve-2011-4318.html",
         },
         {
            trust: 0.1,
            url: "https://access.redhat.com/security/team/contact/",
         },
         {
            trust: 0.1,
            url: "https://www.redhat.com/security/data/cve/cve-2011-2166.html",
         },
         {
            trust: 0.1,
            url: "https://www.redhat.com/security/data/cve/cve-2011-2167.html",
         },
         {
            trust: 0.1,
            url: "https://access.redhat.com/security/team/key/#package",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2011-4318",
         },
         {
            trust: 0.1,
            url: "http://bugzilla.redhat.com/):",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2011-2167",
         },
         {
            trust: 0.1,
            url: "https://access.redhat.com/knowledge/articles/11258",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-1929",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3304",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3706",
         },
         {
            trust: 0.1,
            url: "http://creativecommons.org/licenses/by-sa/2.5",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-0745",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2009-3897",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3779",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-2167",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3707",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2009-3897",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3780",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-2166",
         },
         {
            trust: 0.1,
            url: "http://security.gentoo.org/",
         },
         {
            trust: 0.1,
            url: "https://bugs.gentoo.org.",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2009-3235",
         },
         {
            trust: 0.1,
            url: "http://security.gentoo.org/glsa/glsa-201110-04.xml",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2009-3235",
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-2129",
         },
         {
            db: "BID",
            id: "48003",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-004654",
         },
         {
            db: "PACKETSTORM",
            id: "120446",
         },
         {
            db: "PACKETSTORM",
            id: "105652",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-252",
         },
         {
            db: "NVD",
            id: "CVE-2011-2167",
         },
      ],
   },
   sources: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            db: "CNVD",
            id: "CNVD-2011-2129",
         },
         {
            db: "BID",
            id: "48003",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-004654",
         },
         {
            db: "PACKETSTORM",
            id: "120446",
         },
         {
            db: "PACKETSTORM",
            id: "105652",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-252",
         },
         {
            db: "NVD",
            id: "CVE-2011-2167",
         },
      ],
   },
   sources_release_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2011-06-05T00:00:00",
            db: "CNVD",
            id: "CNVD-2011-2129",
         },
         {
            date: "2011-05-26T00:00:00",
            db: "BID",
            id: "48003",
         },
         {
            date: "2012-03-27T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2011-004654",
         },
         {
            date: "2013-02-21T16:28:44",
            db: "PACKETSTORM",
            id: "120446",
         },
         {
            date: "2011-10-10T22:42:12",
            db: "PACKETSTORM",
            id: "105652",
         },
         {
            date: "2011-05-25T00:00:00",
            db: "CNNVD",
            id: "CNNVD-201105-252",
         },
         {
            date: "2011-05-24T23:55:04.480000",
            db: "NVD",
            id: "CVE-2011-2167",
         },
      ],
   },
   sources_update_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2011-06-05T00:00:00",
            db: "CNVD",
            id: "CNVD-2011-2129",
         },
         {
            date: "2013-03-11T06:54:00",
            db: "BID",
            id: "48003",
         },
         {
            date: "2012-03-27T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2011-004654",
         },
         {
            date: "2011-05-25T00:00:00",
            db: "CNNVD",
            id: "CNNVD-201105-252",
         },
         {
            date: "2024-11-21T01:27:44.190000",
            db: "NVD",
            id: "CVE-2011-2167",
         },
      ],
   },
   threat_type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "remote",
      sources: [
         {
            db: "PACKETSTORM",
            id: "120446",
         },
         {
            db: "PACKETSTORM",
            id: "105652",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-252",
         },
      ],
      trust: 0.8,
   },
   title: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/title#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "Dovecot of  script-login Vulnerable to performing a direct traversal attack",
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2011-004654",
         },
      ],
      trust: 0.8,
   },
   type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "path traversal",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-201105-252",
         },
      ],
      trust: 0.6,
   },
}

var-201803-0134
Vulnerability from variot

A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server. Dovecot Contains an out-of-bounds vulnerability and an information disclosure vulnerability.Information is obtained and service operation is interrupted (DoS) There is a possibility of being put into a state. Dovecot is an open source IMAP and POP3 mail server based on Linux/UNIX-like systems. A cross-boundary read vulnerability exists in Dovecot version 2.2.33.2. This vulnerability can be used to cause denial of service and access to sensitive information. Dovecot is prone to an information-disclosure vulnerability. Failed exploit attempts will result in a denial-of-service condition. Dovecot 2.2.33.2 is vulnerable; other versions may also be affected. ========================================================================== Ubuntu Security Notice USN-3587-2 April 02, 2018

dovecot vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in Dovecot. This update provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that Dovecot incorrectly handled parsing certain email addresses. (CVE-2017-14461)

It was discovered that Dovecot incorrectly handled TLS SNI config lookups. (CVE-2017-15130)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04 ESM: dovecot-core 1:2.0.19-0ubuntu2.5

In general, a standard system update will make all the necessary changes.

References: https://usn.ubuntu.com/usn/usn-3587-2 https://usn.ubuntu.com/usn/usn-3587-1 CVE-2017-14461, CVE-2017-15130 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512


Debian Security Advisory DSA-4130-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 02, 2018 https://www.debian.org/security/faq


Package : dovecot CVE ID : CVE-2017-14461 CVE-2017-15130 CVE-2017-15132 Debian Bug : 888432 891819 891820

Several vulnerabilities have been discovered in the Dovecot email server. The Common Vulnerabilities and Exposures project identifies the following issues:

CVE-2017-14461

Aleksandar Nikolic of Cisco Talos and 'flxflndy' discovered that
Dovecot does not properly parse invalid email addresses, which may
cause a crash or leak memory contents to an attacker.

CVE-2017-15130

It was discovered that TLS SNI config lookups may lead to excessive
memory usage, causing imap-login/pop3-login VSZ limit to be reached
and the process restarted, resulting in a denial of service. Only
Dovecot configurations containing local_name { } or local { }
configuration blocks are affected.

CVE-2017-15132

It was discovered that Dovecot contains a memory leak flaw in the
login process on aborted SASL authentication.

For the oldstable distribution (jessie), these problems have been fixed in version 1:2.2.13-12~deb8u4.

For the stable distribution (stretch), these problems have been fixed in version 1:2.2.27-3+deb9u2.

We recommend that you upgrade your dovecot packages.

For the detailed security status of dovecot please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dovecot

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqZzelfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T8fg/+KmUzgEXDQFSnWOmSt+8GXFB08C2XtXmopMuej/1tjkZZ7B04vXfkgYZ9 u7zICbM56VrTmnXOYnLuXjqLrzGO0Y9jX+Z5G4BSw0TgP+g6ME72ZvqxuE4IKQqi QlaKTX86B1AMpzvkLrhwXlArJDr7pJzOonFJds6rKtVA4OvY4/fAAWrH89BFchet VwdO5rngcd/qnAYVOZglTMfgVlzxvenx+0fbQ6JFS6T8ODOFSsnwth64u3KY8yYj 4PGTBqX4m+2S2q2qGinueBgHNUV4RK71Zw1QYDa2gMBQR3HtlMnDhmQ4uYCvKP04 Z1GJYX6dMxMSWPKC2WecrdCSV+QAdMlYypKbhqcLA4LHcdPR+v35oQT4X/SYd2WS Zf50KMYUm9Q3YiOHVDrJo+o21hX4g8hRw1wdewZz+wyQ1n1TOlVtRh4vmACKRzNx 7bUayEvVU3q3VQd+dDH2Bl+TBiO7RB5/b2pHp8vHwAlVX00jYSSnoLUKT0L4BQ54 +1DZ8j88OFKDxTgOsbk19rhfraY7iejAjHZDVnJBwC/tB9REG6DOrDIG4OJqTKw4 sP1JaHryOGXzOf/8h61rY5HAuwofGkAZN7S+Bel0+zGYJvIcSyxpBKvJB/0TDNjm E5KphLFG9RGVmdeVkQzG6tGUMnMXxFrAD5U3hlzUsNGLLA+RE78= =Yh09 -----END PGP SIGNATURE-----

Show details on source website


{
   "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
      affected_products: {
         "@id": "https://www.variotdbs.pl/ref/affected_products",
      },
      configurations: {
         "@id": "https://www.variotdbs.pl/ref/configurations",
      },
      credits: {
         "@id": "https://www.variotdbs.pl/ref/credits",
      },
      cvss: {
         "@id": "https://www.variotdbs.pl/ref/cvss/",
      },
      description: {
         "@id": "https://www.variotdbs.pl/ref/description/",
      },
      exploit_availability: {
         "@id": "https://www.variotdbs.pl/ref/exploit_availability/",
      },
      external_ids: {
         "@id": "https://www.variotdbs.pl/ref/external_ids/",
      },
      iot: {
         "@id": "https://www.variotdbs.pl/ref/iot/",
      },
      iot_taxonomy: {
         "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/",
      },
      patch: {
         "@id": "https://www.variotdbs.pl/ref/patch/",
      },
      problemtype_data: {
         "@id": "https://www.variotdbs.pl/ref/problemtype_data/",
      },
      references: {
         "@id": "https://www.variotdbs.pl/ref/references/",
      },
      sources: {
         "@id": "https://www.variotdbs.pl/ref/sources/",
      },
      sources_release_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_release_date/",
      },
      sources_update_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_update_date/",
      },
      threat_type: {
         "@id": "https://www.variotdbs.pl/ref/threat_type/",
      },
      title: {
         "@id": "https://www.variotdbs.pl/ref/title/",
      },
      type: {
         "@id": "https://www.variotdbs.pl/ref/type/",
      },
   },
   "@id": "https://www.variotdbs.pl/vuln/VAR-201803-0134",
   affected_products: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.9,
            vendor: "dovecot",
            version: "2.2.33.2",
         },
         {
            model: "ubuntu",
            scope: "eq",
            trust: 1.6,
            vendor: "ubuntu",
            version: "17.10",
         },
         {
            model: "ubuntu",
            scope: "eq",
            trust: 1.6,
            vendor: "ubuntu",
            version: "16.04",
         },
         {
            model: "linux",
            scope: "eq",
            trust: 1,
            vendor: "debian",
            version: "8.0",
         },
         {
            model: "ubuntu",
            scope: "eq",
            trust: 1,
            vendor: "ubuntu",
            version: "14.04",
         },
         {
            model: "linux",
            scope: "eq",
            trust: 1,
            vendor: "debian",
            version: "9.0",
         },
         {
            model: "ubuntu",
            scope: null,
            trust: 0.8,
            vendor: "canonical",
            version: null,
         },
         {
            model: "gnu/linux",
            scope: null,
            trust: 0.8,
            vendor: "debian",
            version: null,
         },
         {
            model: "dovecot",
            scope: null,
            trust: 0.8,
            vendor: "timo sirainen",
            version: null,
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2018-06399",
         },
         {
            db: "BID",
            id: "103201",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2017-012764",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201709-607",
         },
         {
            db: "NVD",
            id: "CVE-2017-14461",
         },
      ],
   },
   configurations: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/configurations#",
         children: {
            "@container": "@list",
         },
         cpe_match: {
            "@container": "@list",
         },
         data: {
            "@container": "@list",
         },
         nodes: {
            "@container": "@list",
         },
      },
      data: [
         {
            CVE_data_version: "4.0",
            nodes: [
               {
                  cpe_match: [
                     {
                        cpe22Uri: "cpe:/o:canonical:ubuntu",
                        vulnerable: true,
                     },
                     {
                        cpe22Uri: "cpe:/o:debian:debian_linux",
                        vulnerable: true,
                     },
                     {
                        cpe22Uri: "cpe:/a:dovecot:dovecot",
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2017-012764",
         },
      ],
   },
   credits: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/credits#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "Aleksandar Nikolic of Cisco Talos.",
      sources: [
         {
            db: "BID",
            id: "103201",
         },
      ],
      trust: 0.3,
   },
   cve: "CVE-2017-14461",
   cvss: {
      "@context": {
         cvssV2: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2",
         },
         cvssV3: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/",
         },
         severity: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/cvss/severity#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            cvssV2: [
               {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "SINGLE",
                  author: "nvd@nist.gov",
                  availabilityImpact: "PARTIAL",
                  baseScore: 5.5,
                  confidentialityImpact: "PARTIAL",
                  exploitabilityScore: 8,
                  id: "CVE-2017-14461",
                  impactScore: 4.9,
                  integrityImpact: "NONE",
                  severity: "MEDIUM",
                  trust: 1.8,
                  vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:P",
                  version: "2.0",
               },
               {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "SINGLE",
                  author: "CNVD",
                  availabilityImpact: "PARTIAL",
                  baseScore: 5.5,
                  confidentialityImpact: "PARTIAL",
                  exploitabilityScore: 8,
                  id: "CNVD-2018-06399",
                  impactScore: 4.9,
                  integrityImpact: "NONE",
                  severity: "MEDIUM",
                  trust: 0.6,
                  vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:P",
                  version: "2.0",
               },
            ],
            cvssV3: [
               {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  author: "nvd@nist.gov",
                  availabilityImpact: "HIGH",
                  baseScore: 7.1,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "LOW",
                  exploitabilityScore: 2.8,
                  id: "CVE-2017-14461",
                  impactScore: 4.2,
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  trust: 1.8,
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
                  version: "3.0",
               },
               {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  author: "talos-cna@cisco.com",
                  availabilityImpact: "HIGH",
                  baseScore: 5.9,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  exploitabilityScore: 1.6,
                  id: "CVE-2017-14461",
                  impactScore: 4.2,
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  trust: 1,
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H",
                  version: "3.0",
               },
            ],
            severity: [
               {
                  author: "nvd@nist.gov",
                  id: "CVE-2017-14461",
                  trust: 1,
                  value: "HIGH",
               },
               {
                  author: "talos-cna@cisco.com",
                  id: "CVE-2017-14461",
                  trust: 1,
                  value: "MEDIUM",
               },
               {
                  author: "NVD",
                  id: "CVE-2017-14461",
                  trust: 0.8,
                  value: "High",
               },
               {
                  author: "CNVD",
                  id: "CNVD-2018-06399",
                  trust: 0.6,
                  value: "MEDIUM",
               },
               {
                  author: "CNNVD",
                  id: "CNNVD-201709-607",
                  trust: 0.6,
                  value: "HIGH",
               },
            ],
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2018-06399",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2017-012764",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201709-607",
         },
         {
            db: "NVD",
            id: "CVE-2017-14461",
         },
         {
            db: "NVD",
            id: "CVE-2017-14461",
         },
      ],
   },
   description: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/description#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server. Dovecot Contains an out-of-bounds vulnerability and an information disclosure vulnerability.Information is obtained and service operation is interrupted (DoS) There is a possibility of being put into a state. Dovecot is an open source IMAP and POP3 mail server based on Linux/UNIX-like systems. A cross-boundary read vulnerability exists in Dovecot version 2.2.33.2. This vulnerability can be used to cause denial of service and access to sensitive information. Dovecot is prone to an information-disclosure vulnerability.  Failed exploit attempts will result in a denial-of-service  condition. \nDovecot 2.2.33.2 is vulnerable; other versions may also be affected. ==========================================================================\nUbuntu Security Notice USN-3587-2\nApril 02, 2018\n\ndovecot vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 12.04 ESM\n\nSummary:\n\nSeveral security issues were fixed in Dovecot. This update provides\nthe corresponding update for Ubuntu 12.04 ESM. \n\nOriginal advisory details:\n\n It was discovered that Dovecot incorrectly handled parsing certain\n email addresses. (CVE-2017-14461)\n\n It was discovered that Dovecot incorrectly handled TLS SNI config\n lookups. (CVE-2017-15130)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 12.04 ESM:\n  dovecot-core                    1:2.0.19-0ubuntu2.5\n\nIn general, a standard system update will make all the necessary\nchanges. \n\nReferences:\n  https://usn.ubuntu.com/usn/usn-3587-2\n  https://usn.ubuntu.com/usn/usn-3587-1\n  CVE-2017-14461, CVE-2017-15130\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4130-1                   security@debian.org\nhttps://www.debian.org/security/                     Salvatore Bonaccorso\nMarch 02, 2018                        https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage        : dovecot\nCVE ID         : CVE-2017-14461 CVE-2017-15130 CVE-2017-15132\nDebian Bug     : 888432 891819 891820\n\nSeveral vulnerabilities have been discovered in the Dovecot email\nserver. The Common Vulnerabilities and Exposures project identifies the\nfollowing issues:\n\nCVE-2017-14461\n\n    Aleksandar Nikolic of Cisco Talos and 'flxflndy' discovered that\n    Dovecot does not properly parse invalid email addresses, which may\n    cause a crash or leak memory contents to an attacker. \n\nCVE-2017-15130\n\n    It was discovered that TLS SNI config lookups may lead to excessive\n    memory usage, causing imap-login/pop3-login VSZ limit to be reached\n    and the process restarted, resulting in a denial of service. Only\n    Dovecot configurations containing local_name { } or local { }\n    configuration blocks are affected. \n\nCVE-2017-15132\n\n    It was discovered that Dovecot contains a memory leak flaw in the\n    login process on aborted SASL authentication. \n\nFor the oldstable distribution (jessie), these problems have been fixed\nin version 1:2.2.13-12~deb8u4. \n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 1:2.2.27-3+deb9u2. \n\nWe recommend that you upgrade your dovecot packages. \n\nFor the detailed security status of dovecot please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/dovecot\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqZzelfFIAAAAAALgAo\naXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2\nNDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND\nz0T8fg/+KmUzgEXDQFSnWOmSt+8GXFB08C2XtXmopMuej/1tjkZZ7B04vXfkgYZ9\nu7zICbM56VrTmnXOYnLuXjqLrzGO0Y9jX+Z5G4BSw0TgP+g6ME72ZvqxuE4IKQqi\nQlaKTX86B1AMpzvkLrhwXlArJDr7pJzOonFJds6rKtVA4OvY4/fAAWrH89BFchet\nVwdO5rngcd/qnAYVOZglTMfgVlzxvenx+0fbQ6JFS6T8ODOFSsnwth64u3KY8yYj\n4PGTBqX4m+2S2q2qGinueBgHNUV4RK71Zw1QYDa2gMBQR3HtlMnDhmQ4uYCvKP04\nZ1GJYX6dMxMSWPKC2WecrdCSV+QAdMlYypKbhqcLA4LHcdPR+v35oQT4X/SYd2WS\nZf50KMYUm9Q3YiOHVDrJo+o21hX4g8hRw1wdewZz+wyQ1n1TOlVtRh4vmACKRzNx\n7bUayEvVU3q3VQd+dDH2Bl+TBiO7RB5/b2pHp8vHwAlVX00jYSSnoLUKT0L4BQ54\n+1DZ8j88OFKDxTgOsbk19rhfraY7iejAjHZDVnJBwC/tB9REG6DOrDIG4OJqTKw4\nsP1JaHryOGXzOf/8h61rY5HAuwofGkAZN7S+Bel0+zGYJvIcSyxpBKvJB/0TDNjm\nE5KphLFG9RGVmdeVkQzG6tGUMnMXxFrAD5U3hlzUsNGLLA+RE78=\n=Yh09\n-----END PGP SIGNATURE-----\n",
      sources: [
         {
            db: "NVD",
            id: "CVE-2017-14461",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2017-012764",
         },
         {
            db: "CNVD",
            id: "CNVD-2018-06399",
         },
         {
            db: "BID",
            id: "103201",
         },
         {
            db: "PACKETSTORM",
            id: "147005",
         },
         {
            db: "PACKETSTORM",
            id: "146647",
         },
         {
            db: "PACKETSTORM",
            id: "146656",
         },
      ],
      trust: 2.7,
   },
   external_ids: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            db: "NVD",
            id: "CVE-2017-14461",
            trust: 3.6,
         },
         {
            db: "TALOS",
            id: "TALOS-2017-0510",
            trust: 2.5,
         },
         {
            db: "BID",
            id: "103201",
            trust: 2.5,
         },
         {
            db: "JVNDB",
            id: "JVNDB-2017-012764",
            trust: 0.8,
         },
         {
            db: "CNVD",
            id: "CNVD-2018-06399",
            trust: 0.6,
         },
         {
            db: "CNNVD",
            id: "CNNVD-201709-607",
            trust: 0.6,
         },
         {
            db: "PACKETSTORM",
            id: "147005",
            trust: 0.1,
         },
         {
            db: "PACKETSTORM",
            id: "146647",
            trust: 0.1,
         },
         {
            db: "PACKETSTORM",
            id: "146656",
            trust: 0.1,
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2018-06399",
         },
         {
            db: "BID",
            id: "103201",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2017-012764",
         },
         {
            db: "PACKETSTORM",
            id: "147005",
         },
         {
            db: "PACKETSTORM",
            id: "146647",
         },
         {
            db: "PACKETSTORM",
            id: "146656",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201709-607",
         },
         {
            db: "NVD",
            id: "CVE-2017-14461",
         },
      ],
   },
   id: "VAR-201803-0134",
   iot: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/iot#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: true,
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2018-06399",
         },
      ],
      trust: 0.06,
   },
   iot_taxonomy: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            category: [
               "Network device",
            ],
            sub_category: null,
            trust: 0.6,
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2018-06399",
         },
      ],
   },
   last_update_date: "2024-11-23T22:34:19.671000Z",
   patch: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/patch#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            title: "[SECURITY] [DLA 1333-1] dovecot security update",
            trust: 0.8,
            url: "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html",
         },
         {
            title: "DSA-4130",
            trust: 0.8,
            url: "https://www.debian.org/security/2018/dsa-4130",
         },
         {
            title: "[Dovecot-news] v2.2.34 released",
            trust: 0.8,
            url: "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html",
         },
         {
            title: "USN-3587-1",
            trust: 0.8,
            url: "https://usn.ubuntu.com/3587-1/",
         },
         {
            title: "USN-3587-2",
            trust: 0.8,
            url: "https://usn.ubuntu.com/3587-2/",
         },
         {
            title: "Dovecot Buffer error vulnerability fix",
            trust: 0.6,
            url: "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=190036",
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2017-012764",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201709-607",
         },
      ],
   },
   problemtype_data: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            problemtype: "CWE-125",
            trust: 1.8,
         },
         {
            problemtype: "CWE-200",
            trust: 1.8,
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2017-012764",
         },
         {
            db: "NVD",
            id: "CVE-2017-14461",
         },
      ],
   },
   references: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/references#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            trust: 2.2,
            url: "https://talosintelligence.com/vulnerability_reports/talos-2017-0510",
         },
         {
            trust: 1.6,
            url: "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html",
         },
         {
            trust: 1.6,
            url: "https://www.debian.org/security/2018/dsa-4130",
         },
         {
            trust: 1.6,
            url: "https://usn.ubuntu.com/3587-2/",
         },
         {
            trust: 1.6,
            url: "https://usn.ubuntu.com/3587-1/",
         },
         {
            trust: 1.6,
            url: "https://www.dovecot.org/list/dovecot-news/2018-february/000370.html",
         },
         {
            trust: 1.6,
            url: "http://www.securityfocus.com/bid/103201",
         },
         {
            trust: 1.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2017-14461",
         },
         {
            trust: 0.8,
            url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14461",
         },
         {
            trust: 0.3,
            url: "http://www.dovecot.org/",
         },
         {
            trust: 0.3,
            url: "https://www.talosintelligence.com/vulnerability_reports/talos-2017-0510",
         },
         {
            trust: 0.3,
            url: "https://nvd.nist.gov/vuln/detail/cve-2017-15130",
         },
         {
            trust: 0.2,
            url: "https://usn.ubuntu.com/usn/usn-3587-1",
         },
         {
            trust: 0.1,
            url: "https://usn.ubuntu.com/usn/usn-3587-2",
         },
         {
            trust: 0.1,
            url: "https://launchpad.net/ubuntu/+source/dovecot/1:2.2.9-1ubuntu2.4",
         },
         {
            trust: 0.1,
            url: "https://launchpad.net/ubuntu/+source/dovecot/1:2.2.22-1ubuntu2.7",
         },
         {
            trust: 0.1,
            url: "https://launchpad.net/ubuntu/+source/dovecot/1:2.2.27-3ubuntu1.3",
         },
         {
            trust: 0.1,
            url: "https://www.debian.org/security/faq",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2017-15132",
         },
         {
            trust: 0.1,
            url: "https://www.debian.org/security/",
         },
         {
            trust: 0.1,
            url: "https://security-tracker.debian.org/tracker/dovecot",
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2018-06399",
         },
         {
            db: "BID",
            id: "103201",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2017-012764",
         },
         {
            db: "PACKETSTORM",
            id: "147005",
         },
         {
            db: "PACKETSTORM",
            id: "146647",
         },
         {
            db: "PACKETSTORM",
            id: "146656",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201709-607",
         },
         {
            db: "NVD",
            id: "CVE-2017-14461",
         },
      ],
   },
   sources: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            db: "CNVD",
            id: "CNVD-2018-06399",
         },
         {
            db: "BID",
            id: "103201",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2017-012764",
         },
         {
            db: "PACKETSTORM",
            id: "147005",
         },
         {
            db: "PACKETSTORM",
            id: "146647",
         },
         {
            db: "PACKETSTORM",
            id: "146656",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201709-607",
         },
         {
            db: "NVD",
            id: "CVE-2017-14461",
         },
      ],
   },
   sources_release_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2018-03-27T00:00:00",
            db: "CNVD",
            id: "CNVD-2018-06399",
         },
         {
            date: "2018-03-01T00:00:00",
            db: "BID",
            id: "103201",
         },
         {
            date: "2018-04-16T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2017-012764",
         },
         {
            date: "2018-04-02T16:54:55",
            db: "PACKETSTORM",
            id: "147005",
         },
         {
            date: "2018-03-05T22:23:00",
            db: "PACKETSTORM",
            id: "146647",
         },
         {
            date: "2018-03-05T23:45:22",
            db: "PACKETSTORM",
            id: "146656",
         },
         {
            date: "2017-09-15T00:00:00",
            db: "CNNVD",
            id: "CNNVD-201709-607",
         },
         {
            date: "2018-03-02T15:29:00.210000",
            db: "NVD",
            id: "CVE-2017-14461",
         },
      ],
   },
   sources_update_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2018-03-27T00:00:00",
            db: "CNVD",
            id: "CNVD-2018-06399",
         },
         {
            date: "2018-03-01T00:00:00",
            db: "BID",
            id: "103201",
         },
         {
            date: "2018-04-16T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2017-012764",
         },
         {
            date: "2022-04-20T00:00:00",
            db: "CNNVD",
            id: "CNNVD-201709-607",
         },
         {
            date: "2024-11-21T03:12:50.433000",
            db: "NVD",
            id: "CVE-2017-14461",
         },
      ],
   },
   threat_type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "remote",
      sources: [
         {
            db: "PACKETSTORM",
            id: "147005",
         },
         {
            db: "PACKETSTORM",
            id: "146647",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201709-607",
         },
      ],
      trust: 0.8,
   },
   title: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/title#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "Dovecot Vulnerable to out-of-bounds reading",
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2017-012764",
         },
      ],
      trust: 0.8,
   },
   type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "buffer error",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-201709-607",
         },
      ],
      trust: 0.6,
   },
}

var-201105-0095
Vulnerability from variot

lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle '\0' characters in header names, which allows remote attackers to cause a denial of service (daemon crash or mailbox corruption) via a crafted e-mail message. Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems. Dovecot is prone to a denial-of-service vulnerability because it fails to properly parse message headers. A remote attacker can exploit this issue to crash the affected application, denying service to legitimate users. Dovecot versions prior to 1.2.17 and 2.0.13 are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

===================================================================== Red Hat Security Advisory

Synopsis: Moderate: dovecot security update Advisory ID: RHSA-2011:1187-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1187.html Issue date: 2011-08-18 CVE Names: CVE-2011-1929 =====================================================================

  1. Summary:

Updated dovecot packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

  1. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

  1. (CVE-2011-1929)

Users of dovecot are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the dovecot service will be restarted automatically.

  1. Solution:

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259

  1. Bugs fixed (http://bugzilla.redhat.com/):

706286 - CVE-2011-1929 dovecot: potential crash when parsing header names that contain NUL characters

  1. Package List:

Red Hat Enterprise Linux AS version 4:

Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm

i386: dovecot-0.99.11-10.EL4.i386.rpm dovecot-debuginfo-0.99.11-10.EL4.i386.rpm

ia64: dovecot-0.99.11-10.EL4.ia64.rpm dovecot-debuginfo-0.99.11-10.EL4.ia64.rpm

ppc: dovecot-0.99.11-10.EL4.ppc.rpm dovecot-debuginfo-0.99.11-10.EL4.ppc.rpm

s390: dovecot-0.99.11-10.EL4.s390.rpm dovecot-debuginfo-0.99.11-10.EL4.s390.rpm

s390x: dovecot-0.99.11-10.EL4.s390x.rpm dovecot-debuginfo-0.99.11-10.EL4.s390x.rpm

x86_64: dovecot-0.99.11-10.EL4.x86_64.rpm dovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm

i386: dovecot-0.99.11-10.EL4.i386.rpm dovecot-debuginfo-0.99.11-10.EL4.i386.rpm

x86_64: dovecot-0.99.11-10.EL4.x86_64.rpm dovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm

i386: dovecot-0.99.11-10.EL4.i386.rpm dovecot-debuginfo-0.99.11-10.EL4.i386.rpm

ia64: dovecot-0.99.11-10.EL4.ia64.rpm dovecot-debuginfo-0.99.11-10.EL4.ia64.rpm

x86_64: dovecot-0.99.11-10.EL4.x86_64.rpm dovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm

i386: dovecot-0.99.11-10.EL4.i386.rpm dovecot-debuginfo-0.99.11-10.EL4.i386.rpm

ia64: dovecot-0.99.11-10.EL4.ia64.rpm dovecot-debuginfo-0.99.11-10.EL4.ia64.rpm

x86_64: dovecot-0.99.11-10.EL4.x86_64.rpm dovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm

RHEL Desktop Workstation (v. 5 client):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/dovecot-1.0.7-7.el5_7.1.src.rpm

i386: dovecot-1.0.7-7.el5_7.1.i386.rpm dovecot-debuginfo-1.0.7-7.el5_7.1.i386.rpm

x86_64: dovecot-1.0.7-7.el5_7.1.x86_64.rpm dovecot-debuginfo-1.0.7-7.el5_7.1.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/dovecot-1.0.7-7.el5_7.1.src.rpm

i386: dovecot-1.0.7-7.el5_7.1.i386.rpm dovecot-debuginfo-1.0.7-7.el5_7.1.i386.rpm

ia64: dovecot-1.0.7-7.el5_7.1.ia64.rpm dovecot-debuginfo-1.0.7-7.el5_7.1.ia64.rpm

ppc: dovecot-1.0.7-7.el5_7.1.ppc.rpm dovecot-debuginfo-1.0.7-7.el5_7.1.ppc.rpm

s390x: dovecot-1.0.7-7.el5_7.1.s390x.rpm dovecot-debuginfo-1.0.7-7.el5_7.1.s390x.rpm

x86_64: dovecot-1.0.7-7.el5_7.1.x86_64.rpm dovecot-debuginfo-1.0.7-7.el5_7.1.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm

i386: dovecot-2.0.9-2.el6_1.1.i686.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm dovecot-mysql-2.0.9-2.el6_1.1.i686.rpm dovecot-pgsql-2.0.9-2.el6_1.1.i686.rpm dovecot-pigeonhole-2.0.9-2.el6_1.1.i686.rpm

ppc64: dovecot-2.0.9-2.el6_1.1.ppc.rpm dovecot-2.0.9-2.el6_1.1.ppc64.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.ppc.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.ppc64.rpm dovecot-mysql-2.0.9-2.el6_1.1.ppc64.rpm dovecot-pgsql-2.0.9-2.el6_1.1.ppc64.rpm dovecot-pigeonhole-2.0.9-2.el6_1.1.ppc64.rpm

s390x: dovecot-2.0.9-2.el6_1.1.s390.rpm dovecot-2.0.9-2.el6_1.1.s390x.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.s390.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.s390x.rpm dovecot-mysql-2.0.9-2.el6_1.1.s390x.rpm dovecot-pgsql-2.0.9-2.el6_1.1.s390x.rpm dovecot-pigeonhole-2.0.9-2.el6_1.1.s390x.rpm

x86_64: dovecot-2.0.9-2.el6_1.1.i686.rpm dovecot-2.0.9-2.el6_1.1.x86_64.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm dovecot-mysql-2.0.9-2.el6_1.1.x86_64.rpm dovecot-pgsql-2.0.9-2.el6_1.1.x86_64.rpm dovecot-pigeonhole-2.0.9-2.el6_1.1.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm

i386: dovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm dovecot-devel-2.0.9-2.el6_1.1.i686.rpm

ppc64: dovecot-debuginfo-2.0.9-2.el6_1.1.ppc64.rpm dovecot-devel-2.0.9-2.el6_1.1.ppc64.rpm

s390x: dovecot-debuginfo-2.0.9-2.el6_1.1.s390x.rpm dovecot-devel-2.0.9-2.el6_1.1.s390x.rpm

x86_64: dovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm dovecot-devel-2.0.9-2.el6_1.1.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm

i386: dovecot-2.0.9-2.el6_1.1.i686.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm dovecot-mysql-2.0.9-2.el6_1.1.i686.rpm dovecot-pgsql-2.0.9-2.el6_1.1.i686.rpm dovecot-pigeonhole-2.0.9-2.el6_1.1.i686.rpm

x86_64: dovecot-2.0.9-2.el6_1.1.i686.rpm dovecot-2.0.9-2.el6_1.1.x86_64.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm dovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm dovecot-mysql-2.0.9-2.el6_1.1.x86_64.rpm dovecot-pgsql-2.0.9-2.el6_1.1.x86_64.rpm dovecot-pigeonhole-2.0.9-2.el6_1.1.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm

i386: dovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm dovecot-devel-2.0.9-2.el6_1.1.i686.rpm

x86_64: dovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm dovecot-devel-2.0.9-2.el6_1.1.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package

  1. References:

https://www.redhat.com/security/data/cve/CVE-2011-1929.html https://access.redhat.com/security/updates/classification/#moderate

  1. Contact:

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/

Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFOTW29XlSAg2UNWIIRAr8LAKCu85vT3BXBKZ1SRebWK7B9nG6OFQCfYR3k P3AdaDf2BpXnEhk2OL5DTpo= =eG31 -----END PGP SIGNATURE-----

-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-04


                                        http://security.gentoo.org/

Severity: High Title: Dovecot: Multiple vulnerabilities Date: October 10, 2011 Bugs: #286844, #293954, #314533, #368653 ID: 201110-04


Synopsis

Multiple vulnerabilities were found in Dovecot, the worst of which allowing for remote execution of arbitrary code.

Affected packages

-------------------------------------------------------------------
 Package              /     Vulnerable     /            Unaffected
-------------------------------------------------------------------

1 net-mail/dovecot < 2.0.13 *>= 1.2.17 >= 2.0.13

Description

Multiple vulnerabilities have been discovered in Dovecot. Please review the CVE identifiers referenced below for details.

Impact

A remote attacker could exploit these vulnerabilities to cause the remote execution of arbitrary code, or a Denial of Service condition, to conduct directory traversal attacks, corrupt data, or disclose information.

Workaround

There is no known workaround at this time.

Resolution

All Dovecot 1 users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/dovecot-1.2.17"

All Dovecot 2 users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.0.13"

NOTE: This is a legacy GLSA. Updates for all affected architectures are available since May 28, 2011. It is likely that your system is already no longer affected by this issue.

References

[ 1 ] CVE-2009-3235 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3235 [ 2 ] CVE-2009-3897 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897 [ 3 ] CVE-2010-0745 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0745 [ 4 ] CVE-2010-3304 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3304 [ 5 ] CVE-2010-3706 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3706 [ 6 ] CVE-2010-3707 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3707 [ 7 ] CVE-2010-3779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3779 [ 8 ] CVE-2010-3780 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3780 [ 9 ] CVE-2011-1929 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1929 [ 10 ] CVE-2011-2166 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2166 [ 11 ] CVE-2011-2167 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2167

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201110-04.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

.

Packages for 2009.0 are provided as of the Extended Maintenance Program. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFN3e9VmqjQ0CJFipgRAjwfAJ95TzNOzqcOHVs9I3gIj1PqbuH6+gCfaxLM TC22GorN3moiTA4Ska8YOLU= =2Q1M -----END PGP SIGNATURE-----


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ========================================================================== Ubuntu Security Notice USN-1143-1 June 02, 2011

dovecot vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 11.04
  • Ubuntu 10.10
  • Ubuntu 10.04 LTS

Summary:

An attacker could send a crafted email message that could disrupt email service.

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 11.04: dovecot-common 1:1.2.15-3ubuntu2.1

Ubuntu 10.10: dovecot-common 1:1.2.12-1ubuntu8.2

Ubuntu 10.04 LTS: dovecot-common 1:1.2.9-1ubuntu6.4

In general, a standard system update will make all the necessary changes.

The oldstable distribution (lenny) is not affected.

For the stable distribution (squeeze), this problem has been fixed in version 1.2.15-7.

For the unstable distribution (sid), this problem has been fixed in version 2.0.13-1

Show details on source website


{
   "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
      affected_products: {
         "@id": "https://www.variotdbs.pl/ref/affected_products",
      },
      configurations: {
         "@id": "https://www.variotdbs.pl/ref/configurations",
      },
      credits: {
         "@id": "https://www.variotdbs.pl/ref/credits",
      },
      cvss: {
         "@id": "https://www.variotdbs.pl/ref/cvss/",
      },
      description: {
         "@id": "https://www.variotdbs.pl/ref/description/",
      },
      exploit_availability: {
         "@id": "https://www.variotdbs.pl/ref/exploit_availability/",
      },
      external_ids: {
         "@id": "https://www.variotdbs.pl/ref/external_ids/",
      },
      iot: {
         "@id": "https://www.variotdbs.pl/ref/iot/",
      },
      iot_taxonomy: {
         "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/",
      },
      patch: {
         "@id": "https://www.variotdbs.pl/ref/patch/",
      },
      problemtype_data: {
         "@id": "https://www.variotdbs.pl/ref/problemtype_data/",
      },
      references: {
         "@id": "https://www.variotdbs.pl/ref/references/",
      },
      sources: {
         "@id": "https://www.variotdbs.pl/ref/sources/",
      },
      sources_release_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_release_date/",
      },
      sources_update_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_update_date/",
      },
      threat_type: {
         "@id": "https://www.variotdbs.pl/ref/threat_type/",
      },
      title: {
         "@id": "https://www.variotdbs.pl/ref/title/",
      },
      type: {
         "@id": "https://www.variotdbs.pl/ref/type/",
      },
   },
   "@id": "https://www.variotdbs.pl/vuln/VAR-201105-0095",
   affected_products: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.9,
            vendor: "dovecot",
            version: "2.0.12",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.9,
            vendor: "dovecot",
            version: "2.0.1",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.9,
            vendor: "dovecot",
            version: "2.0.0",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.6,
            vendor: "dovecot",
            version: "2.0.8",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.6,
            vendor: "dovecot",
            version: "2.0.7",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.6,
            vendor: "dovecot",
            version: "2.0",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.6,
            vendor: "dovecot",
            version: "2.0.9",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.6,
            vendor: "dovecot",
            version: "2.0.6",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.6,
            vendor: "dovecot",
            version: "2.0.10",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.6,
            vendor: "dovecot",
            version: "2.0.11",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "2.0.4",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "2.0.3",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "2.0.2",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "1.2.16",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "1.2.15",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "1.2.14",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "1.2.13",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "1.2.12",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "1.2.10",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "1.2.9",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "1.2.8",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "1.2.7",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "2.0.5",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "1.2.6",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "1.2.5",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "1.2.4",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "1.2.3",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "1.2.2",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.3,
            vendor: "dovecot",
            version: "1.2.11",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1,
            vendor: "dovecot",
            version: "1.2.0",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1,
            vendor: "dovecot",
            version: "1.2.1",
         },
         {
            model: "dovecot",
            scope: "lt",
            trust: 0.8,
            vendor: "timo sirainen",
            version: "1.2.17",
         },
         {
            model: "dovecot",
            scope: "lt",
            trust: 0.8,
            vendor: "timo sirainen",
            version: "2.0.13",
         },
         {
            model: "turbolinux appliance server",
            scope: "eq",
            trust: 0.8,
            vendor: "turbo linux",
            version: "3.0",
         },
         {
            model: "turbolinux appliance server",
            scope: "eq",
            trust: 0.8,
            vendor: "turbo linux",
            version: "3.0 (x64)",
         },
         {
            model: "turbolinux server",
            scope: "eq",
            trust: 0.8,
            vendor: "turbo linux",
            version: "11",
         },
         {
            model: "turbolinux server",
            scope: "eq",
            trust: 0.8,
            vendor: "turbo linux",
            version: "11 (x64)",
         },
         {
            model: "enterprise linux",
            scope: "eq",
            trust: 0.8,
            vendor: "red hat",
            version: "4 (as)",
         },
         {
            model: "enterprise linux",
            scope: "eq",
            trust: 0.8,
            vendor: "red hat",
            version: "4 (es)",
         },
         {
            model: "enterprise linux",
            scope: "eq",
            trust: 0.8,
            vendor: "red hat",
            version: "4 (ws)",
         },
         {
            model: "enterprise linux",
            scope: "eq",
            trust: 0.8,
            vendor: "red hat",
            version: "5 (server)",
         },
         {
            model: "enterprise linux desktop",
            scope: "eq",
            trust: 0.8,
            vendor: "red hat",
            version: "4.0",
         },
         {
            model: "enterprise linux server",
            scope: "eq",
            trust: 0.8,
            vendor: "red hat",
            version: "6",
         },
         {
            model: "enterprise linux server eus",
            scope: "eq",
            trust: 0.8,
            vendor: "red hat",
            version: "6.1.z",
         },
         {
            model: "enterprise linux workstation",
            scope: "eq",
            trust: 0.8,
            vendor: "red hat",
            version: "6",
         },
         {
            model: "rhel desktop workstation",
            scope: "eq",
            trust: 0.8,
            vendor: "red hat",
            version: "5 (client)",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.6,
            vendor: "dovecot",
            version: "1.2.x",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.6,
            vendor: "dovecot",
            version: "2.0.x",
         },
         {
            model: "linux powerpc",
            scope: "eq",
            trust: 0.3,
            vendor: "ubuntu",
            version: "11.04",
         },
         {
            model: "linux i386",
            scope: "eq",
            trust: 0.3,
            vendor: "ubuntu",
            version: "11.04",
         },
         {
            model: "linux arm",
            scope: "eq",
            trust: 0.3,
            vendor: "ubuntu",
            version: "11.04",
         },
         {
            model: "linux amd64",
            scope: "eq",
            trust: 0.3,
            vendor: "ubuntu",
            version: "11.04",
         },
         {
            model: "linux powerpc",
            scope: "eq",
            trust: 0.3,
            vendor: "ubuntu",
            version: "10.10",
         },
         {
            model: "linux i386",
            scope: "eq",
            trust: 0.3,
            vendor: "ubuntu",
            version: "10.10",
         },
         {
            model: "linux arm",
            scope: "eq",
            trust: 0.3,
            vendor: "ubuntu",
            version: "10.10",
         },
         {
            model: "linux amd64",
            scope: "eq",
            trust: 0.3,
            vendor: "ubuntu",
            version: "10.10",
         },
         {
            model: "linux sparc",
            scope: "eq",
            trust: 0.3,
            vendor: "ubuntu",
            version: "10.04",
         },
         {
            model: "linux powerpc",
            scope: "eq",
            trust: 0.3,
            vendor: "ubuntu",
            version: "10.04",
         },
         {
            model: "linux i386",
            scope: "eq",
            trust: 0.3,
            vendor: "ubuntu",
            version: "10.04",
         },
         {
            model: "linux arm",
            scope: "eq",
            trust: 0.3,
            vendor: "ubuntu",
            version: "10.04",
         },
         {
            model: "linux amd64",
            scope: "eq",
            trust: 0.3,
            vendor: "ubuntu",
            version: "10.04",
         },
         {
            model: "opensuse",
            scope: "eq",
            trust: 0.3,
            vendor: "s u s e",
            version: "11.4",
         },
         {
            model: "opensuse",
            scope: "eq",
            trust: 0.3,
            vendor: "s u s e",
            version: "11.3",
         },
         {
            model: "enterprise linux ws",
            scope: "eq",
            trust: 0.3,
            vendor: "redhat",
            version: "4",
         },
         {
            model: "enterprise linux workstation optional",
            scope: "eq",
            trust: 0.3,
            vendor: "redhat",
            version: "6",
         },
         {
            model: "enterprise linux workstation",
            scope: "eq",
            trust: 0.3,
            vendor: "redhat",
            version: "6",
         },
         {
            model: "enterprise linux server optional",
            scope: "eq",
            trust: 0.3,
            vendor: "redhat",
            version: "6",
         },
         {
            model: "enterprise linux server",
            scope: "eq",
            trust: 0.3,
            vendor: "redhat",
            version: "6",
         },
         {
            model: "enterprise linux es",
            scope: "eq",
            trust: 0.3,
            vendor: "redhat",
            version: "4",
         },
         {
            model: "enterprise linux desktop workstation client",
            scope: "eq",
            trust: 0.3,
            vendor: "redhat",
            version: "5",
         },
         {
            model: "enterprise linux as",
            scope: "eq",
            trust: 0.3,
            vendor: "redhat",
            version: "4",
         },
         {
            model: "enterprise linux desktop version",
            scope: "eq",
            trust: 0.3,
            vendor: "redhat",
            version: "4",
         },
         {
            model: "enterprise linux server",
            scope: "eq",
            trust: 0.3,
            vendor: "redhat",
            version: "5",
         },
         {
            model: "linux mandrake x86 64",
            scope: "eq",
            trust: 0.3,
            vendor: "mandriva",
            version: "2010.1",
         },
         {
            model: "linux mandrake",
            scope: "eq",
            trust: 0.3,
            vendor: "mandriva",
            version: "2010.1",
         },
         {
            model: "linux mandrake x86 64",
            scope: "eq",
            trust: 0.3,
            vendor: "mandriva",
            version: "2009.0",
         },
         {
            model: "linux mandrake",
            scope: "eq",
            trust: 0.3,
            vendor: "mandriva",
            version: "2009.0",
         },
         {
            model: "enterprise server x86 64",
            scope: "eq",
            trust: 0.3,
            vendor: "mandrakesoft",
            version: "5",
         },
         {
            model: "enterprise server",
            scope: "eq",
            trust: 0.3,
            vendor: "mandrakesoft",
            version: "5",
         },
         {
            model: "linux",
            scope: null,
            trust: 0.3,
            vendor: "gentoo",
            version: null,
         },
         {
            model: "dovecot",
            scope: "ne",
            trust: 0.3,
            vendor: "dovecot",
            version: "2.0.13",
         },
         {
            model: "dovecot",
            scope: "ne",
            trust: 0.3,
            vendor: "dovecot",
            version: "1.2.17",
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-2132",
         },
         {
            db: "BID",
            id: "47930",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-001934",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-250",
         },
         {
            db: "NVD",
            id: "CVE-2011-1929",
         },
      ],
   },
   configurations: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/configurations#",
         children: {
            "@container": "@list",
         },
         cpe_match: {
            "@container": "@list",
         },
         data: {
            "@container": "@list",
         },
         nodes: {
            "@container": "@list",
         },
      },
      data: [
         {
            CVE_data_version: "4.0",
            nodes: [
               {
                  cpe_match: [
                     {
                        cpe22Uri: "cpe:/a:dovecot:dovecot",
                        vulnerable: true,
                     },
                     {
                        cpe22Uri: "cpe:/o:turbolinux:turbolinux_appliance_server",
                        vulnerable: true,
                     },
                     {
                        cpe22Uri: "cpe:/o:turbolinux:turbolinux_server",
                        vulnerable: true,
                     },
                     {
                        cpe22Uri: "cpe:/o:redhat:enterprise_linux",
                        vulnerable: true,
                     },
                     {
                        cpe22Uri: "cpe:/o:redhat:enterprise_linux_desktop",
                        vulnerable: true,
                     },
                     {
                        cpe22Uri: "cpe:/o:redhat:enterprise_linux_server",
                        vulnerable: true,
                     },
                     {
                        cpe22Uri: "cpe:/a:redhat:rhel_server_eus",
                        vulnerable: true,
                     },
                     {
                        cpe22Uri: "cpe:/o:redhat:enterprise_linux_workstation",
                        vulnerable: true,
                     },
                     {
                        cpe22Uri: "cpe:/o:redhat:rhel_desktop_workstation",
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2011-001934",
         },
      ],
   },
   credits: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/credits#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "Timo Sirainen",
      sources: [
         {
            db: "BID",
            id: "47930",
         },
      ],
      trust: 0.3,
   },
   cve: "CVE-2011-1929",
   cvss: {
      "@context": {
         cvssV2: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2",
         },
         cvssV3: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/",
         },
         severity: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/cvss/severity#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            cvssV2: [
               {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  author: "nvd@nist.gov",
                  availabilityImpact: "PARTIAL",
                  baseScore: 5,
                  confidentialityImpact: "NONE",
                  exploitabilityScore: 10,
                  id: "CVE-2011-1929",
                  impactScore: 2.9,
                  integrityImpact: "NONE",
                  severity: "MEDIUM",
                  trust: 1.8,
                  vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P",
                  version: "2.0",
               },
            ],
            cvssV3: [],
            severity: [
               {
                  author: "nvd@nist.gov",
                  id: "CVE-2011-1929",
                  trust: 1,
                  value: "MEDIUM",
               },
               {
                  author: "NVD",
                  id: "CVE-2011-1929",
                  trust: 0.8,
                  value: "Medium",
               },
               {
                  author: "CNNVD",
                  id: "CNNVD-201105-250",
                  trust: 0.6,
                  value: "MEDIUM",
               },
            ],
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2011-001934",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-250",
         },
         {
            db: "NVD",
            id: "CVE-2011-1929",
         },
      ],
   },
   description: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/description#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle '\\0' characters in header names, which allows remote attackers to cause a denial of service (daemon crash or mailbox corruption) via a crafted e-mail message. Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems. Dovecot is prone to a denial-of-service vulnerability because it fails to properly parse message headers. \nA remote attacker can exploit this issue to crash the affected application, denying service to legitimate users. \nDovecot versions prior to 1.2.17 and 2.0.13 are vulnerable. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n                   Red Hat Security Advisory\n\nSynopsis:          Moderate: dovecot security update\nAdvisory ID:       RHSA-2011:1187-01\nProduct:           Red Hat Enterprise Linux\nAdvisory URL:      https://rhn.redhat.com/errata/RHSA-2011-1187.html\nIssue date:        2011-08-18\nCVE Names:         CVE-2011-1929 \n=====================================================================\n\n1. Summary:\n\nUpdated dovecot packages that fix one security issue are now available for\nRed Hat Enterprise Linux 4, 5, and 6. \n\nThe Red Hat Security Response Team has rated this update as having moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section. \n\n2. Relevant releases/architectures:\n\nRHEL Desktop Workstation (v. 5 client) - i386, x86_64\nRed Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64\nRed Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64\nRed Hat Enterprise Linux Desktop version 4 - i386, x86_64\nRed Hat Enterprise Linux ES version 4 - i386, ia64, x86_64\nRed Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux WS version 4 - i386, ia64, x86_64\nRed Hat Enterprise Linux Workstation (v. 6) - i386, x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64\n\n3. \n(CVE-2011-1929)\n\nUsers of dovecot are advised to upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing the\nupdated packages, the dovecot service will be restarted automatically. \n\n4. Solution:\n\nBefore applying this update, make sure all previously-released errata\nrelevant to your system have been applied. \n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/kb/docs/DOC-11259\n\n5. Bugs fixed (http://bugzilla.redhat.com/):\n\n706286 - CVE-2011-1929 dovecot: potential crash when parsing header names that contain NUL characters\n\n6. Package List:\n\nRed Hat Enterprise Linux AS version 4:\n\nSource:\nftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm\n\ni386:\ndovecot-0.99.11-10.EL4.i386.rpm\ndovecot-debuginfo-0.99.11-10.EL4.i386.rpm\n\nia64:\ndovecot-0.99.11-10.EL4.ia64.rpm\ndovecot-debuginfo-0.99.11-10.EL4.ia64.rpm\n\nppc:\ndovecot-0.99.11-10.EL4.ppc.rpm\ndovecot-debuginfo-0.99.11-10.EL4.ppc.rpm\n\ns390:\ndovecot-0.99.11-10.EL4.s390.rpm\ndovecot-debuginfo-0.99.11-10.EL4.s390.rpm\n\ns390x:\ndovecot-0.99.11-10.EL4.s390x.rpm\ndovecot-debuginfo-0.99.11-10.EL4.s390x.rpm\n\nx86_64:\ndovecot-0.99.11-10.EL4.x86_64.rpm\ndovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm\n\nRed Hat Enterprise Linux Desktop version 4:\n\nSource:\nftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm\n\ni386:\ndovecot-0.99.11-10.EL4.i386.rpm\ndovecot-debuginfo-0.99.11-10.EL4.i386.rpm\n\nx86_64:\ndovecot-0.99.11-10.EL4.x86_64.rpm\ndovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm\n\nRed Hat Enterprise Linux ES version 4:\n\nSource:\nftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm\n\ni386:\ndovecot-0.99.11-10.EL4.i386.rpm\ndovecot-debuginfo-0.99.11-10.EL4.i386.rpm\n\nia64:\ndovecot-0.99.11-10.EL4.ia64.rpm\ndovecot-debuginfo-0.99.11-10.EL4.ia64.rpm\n\nx86_64:\ndovecot-0.99.11-10.EL4.x86_64.rpm\ndovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm\n\nRed Hat Enterprise Linux WS version 4:\n\nSource:\nftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/dovecot-0.99.11-10.EL4.src.rpm\n\ni386:\ndovecot-0.99.11-10.EL4.i386.rpm\ndovecot-debuginfo-0.99.11-10.EL4.i386.rpm\n\nia64:\ndovecot-0.99.11-10.EL4.ia64.rpm\ndovecot-debuginfo-0.99.11-10.EL4.ia64.rpm\n\nx86_64:\ndovecot-0.99.11-10.EL4.x86_64.rpm\ndovecot-debuginfo-0.99.11-10.EL4.x86_64.rpm\n\nRHEL Desktop Workstation (v. 5 client):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/dovecot-1.0.7-7.el5_7.1.src.rpm\n\ni386:\ndovecot-1.0.7-7.el5_7.1.i386.rpm\ndovecot-debuginfo-1.0.7-7.el5_7.1.i386.rpm\n\nx86_64:\ndovecot-1.0.7-7.el5_7.1.x86_64.rpm\ndovecot-debuginfo-1.0.7-7.el5_7.1.x86_64.rpm\n\nRed Hat Enterprise Linux (v. 5 server):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/dovecot-1.0.7-7.el5_7.1.src.rpm\n\ni386:\ndovecot-1.0.7-7.el5_7.1.i386.rpm\ndovecot-debuginfo-1.0.7-7.el5_7.1.i386.rpm\n\nia64:\ndovecot-1.0.7-7.el5_7.1.ia64.rpm\ndovecot-debuginfo-1.0.7-7.el5_7.1.ia64.rpm\n\nppc:\ndovecot-1.0.7-7.el5_7.1.ppc.rpm\ndovecot-debuginfo-1.0.7-7.el5_7.1.ppc.rpm\n\ns390x:\ndovecot-1.0.7-7.el5_7.1.s390x.rpm\ndovecot-debuginfo-1.0.7-7.el5_7.1.s390x.rpm\n\nx86_64:\ndovecot-1.0.7-7.el5_7.1.x86_64.rpm\ndovecot-debuginfo-1.0.7-7.el5_7.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm\n\ni386:\ndovecot-2.0.9-2.el6_1.1.i686.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm\ndovecot-mysql-2.0.9-2.el6_1.1.i686.rpm\ndovecot-pgsql-2.0.9-2.el6_1.1.i686.rpm\ndovecot-pigeonhole-2.0.9-2.el6_1.1.i686.rpm\n\nppc64:\ndovecot-2.0.9-2.el6_1.1.ppc.rpm\ndovecot-2.0.9-2.el6_1.1.ppc64.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.ppc.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.ppc64.rpm\ndovecot-mysql-2.0.9-2.el6_1.1.ppc64.rpm\ndovecot-pgsql-2.0.9-2.el6_1.1.ppc64.rpm\ndovecot-pigeonhole-2.0.9-2.el6_1.1.ppc64.rpm\n\ns390x:\ndovecot-2.0.9-2.el6_1.1.s390.rpm\ndovecot-2.0.9-2.el6_1.1.s390x.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.s390.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.s390x.rpm\ndovecot-mysql-2.0.9-2.el6_1.1.s390x.rpm\ndovecot-pgsql-2.0.9-2.el6_1.1.s390x.rpm\ndovecot-pigeonhole-2.0.9-2.el6_1.1.s390x.rpm\n\nx86_64:\ndovecot-2.0.9-2.el6_1.1.i686.rpm\ndovecot-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-mysql-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-pgsql-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-pigeonhole-2.0.9-2.el6_1.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm\n\ni386:\ndovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm\ndovecot-devel-2.0.9-2.el6_1.1.i686.rpm\n\nppc64:\ndovecot-debuginfo-2.0.9-2.el6_1.1.ppc64.rpm\ndovecot-devel-2.0.9-2.el6_1.1.ppc64.rpm\n\ns390x:\ndovecot-debuginfo-2.0.9-2.el6_1.1.s390x.rpm\ndovecot-devel-2.0.9-2.el6_1.1.s390x.rpm\n\nx86_64:\ndovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-devel-2.0.9-2.el6_1.1.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm\n\ni386:\ndovecot-2.0.9-2.el6_1.1.i686.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm\ndovecot-mysql-2.0.9-2.el6_1.1.i686.rpm\ndovecot-pgsql-2.0.9-2.el6_1.1.i686.rpm\ndovecot-pigeonhole-2.0.9-2.el6_1.1.i686.rpm\n\nx86_64:\ndovecot-2.0.9-2.el6_1.1.i686.rpm\ndovecot-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm\ndovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-mysql-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-pgsql-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-pigeonhole-2.0.9-2.el6_1.1.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-2.el6_1.1.src.rpm\n\ni386:\ndovecot-debuginfo-2.0.9-2.el6_1.1.i686.rpm\ndovecot-devel-2.0.9-2.el6_1.1.i686.rpm\n\nx86_64:\ndovecot-debuginfo-2.0.9-2.el6_1.1.x86_64.rpm\ndovecot-devel-2.0.9-2.el6_1.1.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security.  Our key and \ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/#package\n\n7. References:\n\nhttps://www.redhat.com/security/data/cve/CVE-2011-1929.html\nhttps://access.redhat.com/security/updates/classification/#moderate\n\n8. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>.  More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2011 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.4 (GNU/Linux)\n\niD8DBQFOTW29XlSAg2UNWIIRAr8LAKCu85vT3BXBKZ1SRebWK7B9nG6OFQCfYR3k\nP3AdaDf2BpXnEhk2OL5DTpo=\n=eG31\n-----END PGP SIGNATURE-----\n\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory                           GLSA 201110-04\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n                                            http://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: High\n    Title: Dovecot: Multiple vulnerabilities\n     Date: October 10, 2011\n     Bugs: #286844, #293954, #314533, #368653\n       ID: 201110-04\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities were found in Dovecot, the worst of which\nallowing for remote execution of arbitrary code. \n\nAffected packages\n=================\n\n    -------------------------------------------------------------------\n     Package              /     Vulnerable     /            Unaffected\n    -------------------------------------------------------------------\n  1  net-mail/dovecot             < 2.0.13                 *>= 1.2.17\n                                                            >= 2.0.13\n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in Dovecot. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nA remote attacker could exploit these vulnerabilities to cause the\nremote execution of arbitrary code, or a Denial of Service condition,\nto conduct directory traversal attacks, corrupt data, or disclose\ninformation. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll Dovecot 1 users should upgrade to the latest version:\n\n  # emerge --sync\n  # emerge --ask --oneshot --verbose \">=net-mail/dovecot-1.2.17\"\n\nAll Dovecot 2 users should upgrade to the latest version:\n\n  # emerge --sync\n  # emerge --ask --oneshot --verbose \">=net-mail/dovecot-2.0.13\"\n\nNOTE: This is a legacy GLSA. Updates for all affected architectures are\navailable since May 28, 2011. It is likely that your system is already\nno longer affected by this issue. \n\nReferences\n==========\n\n[  1 ] CVE-2009-3235\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3235\n[  2 ] CVE-2009-3897\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897\n[  3 ] CVE-2010-0745\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0745\n[  4 ] CVE-2010-3304\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3304\n[  5 ] CVE-2010-3706\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3706\n[  6 ] CVE-2010-3707\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3707\n[  7 ] CVE-2010-3779\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3779\n[  8 ] CVE-2010-3780\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3780\n[  9 ] CVE-2011-1929\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1929\n[ 10 ] CVE-2011-2166\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2166\n[ 11 ] CVE-2011-2167\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2167\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n http://security.gentoo.org/glsa/glsa-201110-04.xml\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users' machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2011 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n\n\n\n. \n \n Packages for 2009.0 are provided as of the Extended Maintenance\n Program.  The verification\n of md5 checksums and GPG signatures is performed automatically for you. \n\n All packages are signed by Mandriva for security.  You can obtain the\n GPG public key of the Mandriva Security Team by executing:\n\n  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\n\n You can view other update advisories for Mandriva Linux at:\n\n  http://www.mandriva.com/security/advisories\n\n If you want to report vulnerabilities, please contact\n\n  security_(at)_mandriva.com\n _______________________________________________________________________\n\n Type Bits/KeyID     Date       User ID\n pub  1024D/22458A98 2000-07-10 Mandriva Security Team\n  <security*mandriva.com>\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.9 (GNU/Linux)\n\niD8DBQFN3e9VmqjQ0CJFipgRAjwfAJ95TzNOzqcOHVs9I3gIj1PqbuH6+gCfaxLM\nTC22GorN3moiTA4Ska8YOLU=\n=2Q1M\n-----END PGP SIGNATURE-----\n\n_______________________________________________\nFull-Disclosure - We believe in it. \nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\nHosted and sponsored by Secunia - http://secunia.com/\n. ==========================================================================\nUbuntu Security Notice USN-1143-1\nJune 02, 2011\n\ndovecot vulnerability\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 11.04\n- Ubuntu 10.10\n- Ubuntu 10.04 LTS\n\nSummary:\n\nAn attacker could send a crafted email message that could disrupt email\nservice. \n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 11.04:\n  dovecot-common                  1:1.2.15-3ubuntu2.1\n\nUbuntu 10.10:\n  dovecot-common                  1:1.2.12-1ubuntu8.2\n\nUbuntu 10.04 LTS:\n  dovecot-common                  1:1.2.9-1ubuntu6.4\n\nIn general, a standard system update will make all the necessary changes. \n\n\nThe oldstable distribution (lenny) is not affected. \n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.2.15-7. \n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.0.13-1",
      sources: [
         {
            db: "NVD",
            id: "CVE-2011-1929",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-001934",
         },
         {
            db: "CNVD",
            id: "CNVD-2011-2132",
         },
         {
            db: "BID",
            id: "47930",
         },
         {
            db: "PACKETSTORM",
            id: "104202",
         },
         {
            db: "PACKETSTORM",
            id: "105652",
         },
         {
            db: "PACKETSTORM",
            id: "101719",
         },
         {
            db: "PACKETSTORM",
            id: "101933",
         },
         {
            db: "PACKETSTORM",
            id: "101949",
         },
      ],
      trust: 2.88,
   },
   external_ids: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            db: "NVD",
            id: "CVE-2011-1929",
            trust: 3.8,
         },
         {
            db: "BID",
            id: "47930",
            trust: 3.3,
         },
         {
            db: "OSVDB",
            id: "72495",
            trust: 1.8,
         },
         {
            db: "SECUNIA",
            id: "44683",
            trust: 1.8,
         },
         {
            db: "OPENWALL",
            id: "OSS-SECURITY/2011/05/19/6",
            trust: 1.6,
         },
         {
            db: "OPENWALL",
            id: "OSS-SECURITY/2011/05/19/3",
            trust: 1.6,
         },
         {
            db: "OPENWALL",
            id: "OSS-SECURITY/2011/05/18/4",
            trust: 1.6,
         },
         {
            db: "SECUNIA",
            id: "44827",
            trust: 1,
         },
         {
            db: "SECUNIA",
            id: "44771",
            trust: 1,
         },
         {
            db: "SECUNIA",
            id: "44712",
            trust: 1,
         },
         {
            db: "SECUNIA",
            id: "44756",
            trust: 1,
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-001934",
            trust: 0.8,
         },
         {
            db: "CNVD",
            id: "CNVD-2011-2132",
            trust: 0.6,
         },
         {
            db: "MLIST",
            id: "[DOVECOT] 20110511 V2.0.13 RELEASED",
            trust: 0.6,
         },
         {
            db: "MLIST",
            id: "[DOVECOT] 20110511 V1.2.17 RELEASED",
            trust: 0.6,
         },
         {
            db: "MLIST",
            id: "[OSS-SECURITY] 20110519 RE: DOVECOT RELEASES",
            trust: 0.6,
         },
         {
            db: "MLIST",
            id: "[OSS-SECURITY] 20110518 DOVECOT RELEASES",
            trust: 0.6,
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-250",
            trust: 0.6,
         },
         {
            db: "PACKETSTORM",
            id: "104202",
            trust: 0.1,
         },
         {
            db: "PACKETSTORM",
            id: "105652",
            trust: 0.1,
         },
         {
            db: "PACKETSTORM",
            id: "101719",
            trust: 0.1,
         },
         {
            db: "PACKETSTORM",
            id: "101933",
            trust: 0.1,
         },
         {
            db: "PACKETSTORM",
            id: "101949",
            trust: 0.1,
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-2132",
         },
         {
            db: "BID",
            id: "47930",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-001934",
         },
         {
            db: "PACKETSTORM",
            id: "104202",
         },
         {
            db: "PACKETSTORM",
            id: "105652",
         },
         {
            db: "PACKETSTORM",
            id: "101719",
         },
         {
            db: "PACKETSTORM",
            id: "101933",
         },
         {
            db: "PACKETSTORM",
            id: "101949",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-250",
         },
         {
            db: "NVD",
            id: "CVE-2011-1929",
         },
      ],
   },
   id: "VAR-201105-0095",
   iot: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/iot#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: true,
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-2132",
         },
      ],
      trust: 0.06,
   },
   iot_taxonomy: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            category: [
               "Network device",
            ],
            sub_category: null,
            trust: 0.6,
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-2132",
         },
      ],
   },
   last_update_date: "2024-11-29T21:31:12.341000Z",
   patch: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/patch#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            title: "v1.2.17 released",
            trust: 0.8,
            url: "http://dovecot.org/pipermail/dovecot/2011-May/059086.html",
         },
         {
            title: "v2.0.13 released",
            trust: 0.8,
            url: "http://dovecot.org/pipermail/dovecot/2011-May/059085.html",
         },
         {
            title: "dovecot-1.1 / changeset",
            trust: 0.8,
            url: "http://hg.dovecot.org/dovecot-1.1/rev/3698dfe0f21c",
         },
         {
            title: "RHSA-2011:1187",
            trust: 0.8,
            url: "https://rhn.redhat.com/errata/RHSA-2011-1187.html",
         },
         {
            title: "TLSA-2011-22",
            trust: 0.8,
            url: "http://www.turbolinux.co.jp/security/2011/TLSA-2011-22j.txt",
         },
         {
            title: "Dovecot denies service patch vulnerabilities",
            trust: 0.6,
            url: "https://www.cnvd.org.cn/patchInfo/show/4012",
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-2132",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-001934",
         },
      ],
   },
   problemtype_data: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            problemtype: "CWE-20",
            trust: 1.8,
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2011-001934",
         },
         {
            db: "NVD",
            id: "CVE-2011-1929",
         },
      ],
   },
   references: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/references#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            trust: 3,
            url: "http://www.securityfocus.com/bid/47930",
         },
         {
            trust: 1.9,
            url: "http://dovecot.org/pipermail/dovecot/2011-may/059086.html",
         },
         {
            trust: 1.9,
            url: "http://dovecot.org/pipermail/dovecot/2011-may/059085.html",
         },
         {
            trust: 1.9,
            url: "http://hg.dovecot.org/dovecot-1.1/rev/3698dfe0f21c",
         },
         {
            trust: 1.8,
            url: "http://osvdb.org/72495",
         },
         {
            trust: 1.8,
            url: "http://secunia.com/advisories/44683",
         },
         {
            trust: 1.6,
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=706286",
         },
         {
            trust: 1.6,
            url: "http://www.dovecot.org/doc/news-2.0",
         },
         {
            trust: 1.6,
            url: "http://www.dovecot.org/doc/news-1.2",
         },
         {
            trust: 1.6,
            url: "http://openwall.com/lists/oss-security/2011/05/19/6",
         },
         {
            trust: 1.6,
            url: "http://openwall.com/lists/oss-security/2011/05/19/3",
         },
         {
            trust: 1.6,
            url: "http://openwall.com/lists/oss-security/2011/05/18/4",
         },
         {
            trust: 1,
            url: "http://www.debian.org/security/2011/dsa-2252",
         },
         {
            trust: 1,
            url: "http://secunia.com/advisories/44756",
         },
         {
            trust: 1,
            url: "https://hermes.opensuse.org/messages/8581790",
         },
         {
            trust: 1,
            url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-may/060825.html",
         },
         {
            trust: 1,
            url: "http://www.redhat.com/support/errata/rhsa-2011-1187.html",
         },
         {
            trust: 1,
            url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-may/060815.html",
         },
         {
            trust: 1,
            url: "http://lists.fedoraproject.org/pipermail/package-announce/2011-june/061384.html",
         },
         {
            trust: 1,
            url: "http://secunia.com/advisories/44827",
         },
         {
            trust: 1,
            url: "http://secunia.com/advisories/44771",
         },
         {
            trust: 1,
            url: "http://www.mandriva.com/security/advisories?name=mdvsa-2011:101",
         },
         {
            trust: 1,
            url: "http://secunia.com/advisories/44712",
         },
         {
            trust: 1,
            url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/67589",
         },
         {
            trust: 1,
            url: "http://www.ubuntu.com/usn/usn-1143-1",
         },
         {
            trust: 0.9,
            url: "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-1929",
         },
         {
            trust: 0.8,
            url: "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-1929",
         },
         {
            trust: 0.4,
            url: "https://nvd.nist.gov/vuln/detail/cve-2011-1929",
         },
         {
            trust: 0.3,
            url: "http://www.dovecot.org/",
         },
         {
            trust: 0.2,
            url: "http://secunia.com/",
         },
         {
            trust: 0.2,
            url: "http://lists.grok.org.uk/full-disclosure-charter.html",
         },
         {
            trust: 0.1,
            url: "https://www.redhat.com/mailman/listinfo/rhsa-announce",
         },
         {
            trust: 0.1,
            url: "https://rhn.redhat.com/errata/rhsa-2011-1187.html",
         },
         {
            trust: 0.1,
            url: "https://access.redhat.com/kb/docs/doc-11259",
         },
         {
            trust: 0.1,
            url: "https://access.redhat.com/security/team/key/#package",
         },
         {
            trust: 0.1,
            url: "http://bugzilla.redhat.com/):",
         },
         {
            trust: 0.1,
            url: "https://access.redhat.com/security/updates/classification/#moderate",
         },
         {
            trust: 0.1,
            url: "https://www.redhat.com/security/data/cve/cve-2011-1929.html",
         },
         {
            trust: 0.1,
            url: "https://access.redhat.com/security/team/contact/",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-1929",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3304",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3706",
         },
         {
            trust: 0.1,
            url: "http://creativecommons.org/licenses/by-sa/2.5",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-0745",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2009-3897",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3779",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-2167",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3707",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2009-3897",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3780",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-2166",
         },
         {
            trust: 0.1,
            url: "http://security.gentoo.org/",
         },
         {
            trust: 0.1,
            url: "https://bugs.gentoo.org.",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2009-3235",
         },
         {
            trust: 0.1,
            url: "http://security.gentoo.org/glsa/glsa-201110-04.xml",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2009-3235",
         },
         {
            trust: 0.1,
            url: "http://store.mandriva.com/product_info.php\\?cpath=149\\&amp;products_id=490",
         },
         {
            trust: 0.1,
            url: "http://www.mandriva.com/security/",
         },
         {
            trust: 0.1,
            url: "http://www.mandriva.com/security/advisories",
         },
         {
            trust: 0.1,
            url: "https://launchpad.net/ubuntu/+source/dovecot/1:1.2.15-3ubuntu2.1",
         },
         {
            trust: 0.1,
            url: "https://launchpad.net/ubuntu/+source/dovecot/1:1.2.12-1ubuntu8.2",
         },
         {
            trust: 0.1,
            url: "https://launchpad.net/ubuntu/+source/dovecot/1:1.2.9-1ubuntu6.4",
         },
         {
            trust: 0.1,
            url: "http://www.debian.org/security/faq",
         },
         {
            trust: 0.1,
            url: "http://www.debian.org/security/",
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-2132",
         },
         {
            db: "BID",
            id: "47930",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-001934",
         },
         {
            db: "PACKETSTORM",
            id: "104202",
         },
         {
            db: "PACKETSTORM",
            id: "105652",
         },
         {
            db: "PACKETSTORM",
            id: "101719",
         },
         {
            db: "PACKETSTORM",
            id: "101933",
         },
         {
            db: "PACKETSTORM",
            id: "101949",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-250",
         },
         {
            db: "NVD",
            id: "CVE-2011-1929",
         },
      ],
   },
   sources: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            db: "CNVD",
            id: "CNVD-2011-2132",
         },
         {
            db: "BID",
            id: "47930",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-001934",
         },
         {
            db: "PACKETSTORM",
            id: "104202",
         },
         {
            db: "PACKETSTORM",
            id: "105652",
         },
         {
            db: "PACKETSTORM",
            id: "101719",
         },
         {
            db: "PACKETSTORM",
            id: "101933",
         },
         {
            db: "PACKETSTORM",
            id: "101949",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-250",
         },
         {
            db: "NVD",
            id: "CVE-2011-1929",
         },
      ],
   },
   sources_release_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2011-06-05T00:00:00",
            db: "CNVD",
            id: "CNVD-2011-2132",
         },
         {
            date: "2011-05-19T00:00:00",
            db: "BID",
            id: "47930",
         },
         {
            date: "2011-07-26T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2011-001934",
         },
         {
            date: "2011-08-19T01:53:33",
            db: "PACKETSTORM",
            id: "104202",
         },
         {
            date: "2011-10-10T22:42:12",
            db: "PACKETSTORM",
            id: "105652",
         },
         {
            date: "2011-05-26T13:48:10",
            db: "PACKETSTORM",
            id: "101719",
         },
         {
            date: "2011-06-02T06:03:22",
            db: "PACKETSTORM",
            id: "101933",
         },
         {
            date: "2010-06-02T12:13:00",
            db: "PACKETSTORM",
            id: "101949",
         },
         {
            date: "2011-05-25T00:00:00",
            db: "CNNVD",
            id: "CNNVD-201105-250",
         },
         {
            date: "2011-05-24T23:55:04.387000",
            db: "NVD",
            id: "CVE-2011-1929",
         },
      ],
   },
   sources_update_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2011-06-05T00:00:00",
            db: "CNVD",
            id: "CNVD-2011-2132",
         },
         {
            date: "2015-04-13T21:58:00",
            db: "BID",
            id: "47930",
         },
         {
            date: "2011-08-31T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2011-001934",
         },
         {
            date: "2011-05-25T00:00:00",
            db: "CNNVD",
            id: "CNNVD-201105-250",
         },
         {
            date: "2024-11-21T01:27:19.797000",
            db: "NVD",
            id: "CVE-2011-1929",
         },
      ],
   },
   threat_type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "remote",
      sources: [
         {
            db: "PACKETSTORM",
            id: "105652",
         },
         {
            db: "PACKETSTORM",
            id: "101719",
         },
         {
            db: "PACKETSTORM",
            id: "101933",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-250",
         },
      ],
      trust: 0.9,
   },
   title: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/title#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "Dovecot of  lib-mail/message-header-parser.c Service disruption in  (DoS) Vulnerabilities",
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2011-001934",
         },
      ],
      trust: 0.8,
   },
   type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "input validation",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-201105-250",
         },
      ],
      trust: 0.6,
   },
}

var-201105-0289
Vulnerability from variot

script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script. Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems. Dovecot is prone to multiple security-bypass vulnerabilities because it fails to properly implement certain configuration settings. Authenticated attackers can exploit these issues to bypass certain security restrictions and perform unauthorized actions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

===================================================================== Red Hat Security Advisory

Synopsis: Low: dovecot security and bug fix update Advisory ID: RHSA-2013:0520-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0520.html Issue date: 2013-02-21 CVE Names: CVE-2011-2166 CVE-2011-2167 CVE-2011-4318 =====================================================================

  1. Summary:

Updated dovecot packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

  1. Relevant releases/architectures:

Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

  1. It supports mail in either of maildir or mbox formats. The SQL drivers and authentication plug-ins are provided as sub-packages.

Two flaws were found in the way some settings were enforced by the script-login functionality of Dovecot. (CVE-2011-2166, CVE-2011-2167)

A flaw was found in the way Dovecot performed remote server identity verification, when it was configured to proxy IMAP and POP3 connections to remote hosts using TLS/SSL protocols. A remote attacker could use this flaw to conduct man-in-the-middle attacks using an X.509 certificate issued by a trusted Certificate Authority (for a different name). (CVE-2011-4318)

This update also fixes the following bug:

  • When a new user first accessed their IMAP inbox, Dovecot was, under some circumstances, unable to change the group ownership of the inbox directory in the user's Maildir location to match that of the user's mail spool (/var/mail/$USER). This correctly generated an "Internal error occurred" message. However, with a subsequent attempt to access the inbox, Dovecot saw that the directory already existed and proceeded with its operation, leaving the directory with incorrectly set permissions. This update corrects the underlying permissions setting error. When a new user now accesses their inbox for the first time, and it is not possible to set group ownership, Dovecot removes the created directory and generates an error message instead of keeping the directory with incorrect group ownership. (BZ#697620)

Users of dovecot are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the dovecot service will be restarted automatically.

  1. Solution:

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258

  1. Package List:

Red Hat Enterprise Linux Server (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm

i386: dovecot-2.0.9-5.el6.i686.rpm dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-mysql-2.0.9-5.el6.i686.rpm dovecot-pgsql-2.0.9-5.el6.i686.rpm dovecot-pigeonhole-2.0.9-5.el6.i686.rpm

ppc64: dovecot-2.0.9-5.el6.ppc.rpm dovecot-2.0.9-5.el6.ppc64.rpm dovecot-debuginfo-2.0.9-5.el6.ppc.rpm dovecot-debuginfo-2.0.9-5.el6.ppc64.rpm dovecot-mysql-2.0.9-5.el6.ppc64.rpm dovecot-pgsql-2.0.9-5.el6.ppc64.rpm dovecot-pigeonhole-2.0.9-5.el6.ppc64.rpm

s390x: dovecot-2.0.9-5.el6.s390.rpm dovecot-2.0.9-5.el6.s390x.rpm dovecot-debuginfo-2.0.9-5.el6.s390.rpm dovecot-debuginfo-2.0.9-5.el6.s390x.rpm dovecot-mysql-2.0.9-5.el6.s390x.rpm dovecot-pgsql-2.0.9-5.el6.s390x.rpm dovecot-pigeonhole-2.0.9-5.el6.s390x.rpm

x86_64: dovecot-2.0.9-5.el6.i686.rpm dovecot-2.0.9-5.el6.x86_64.rpm dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm dovecot-mysql-2.0.9-5.el6.x86_64.rpm dovecot-pgsql-2.0.9-5.el6.x86_64.rpm dovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm

i386: dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-devel-2.0.9-5.el6.i686.rpm

ppc64: dovecot-debuginfo-2.0.9-5.el6.ppc64.rpm dovecot-devel-2.0.9-5.el6.ppc64.rpm

s390x: dovecot-debuginfo-2.0.9-5.el6.s390x.rpm dovecot-devel-2.0.9-5.el6.s390x.rpm

x86_64: dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm dovecot-devel-2.0.9-5.el6.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm

i386: dovecot-2.0.9-5.el6.i686.rpm dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-mysql-2.0.9-5.el6.i686.rpm dovecot-pgsql-2.0.9-5.el6.i686.rpm dovecot-pigeonhole-2.0.9-5.el6.i686.rpm

x86_64: dovecot-2.0.9-5.el6.i686.rpm dovecot-2.0.9-5.el6.x86_64.rpm dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm dovecot-mysql-2.0.9-5.el6.x86_64.rpm dovecot-pgsql-2.0.9-5.el6.x86_64.rpm dovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 6):

Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm

i386: dovecot-debuginfo-2.0.9-5.el6.i686.rpm dovecot-devel-2.0.9-5.el6.i686.rpm

x86_64: dovecot-debuginfo-2.0.9-5.el6.x86_64.rpm dovecot-devel-2.0.9-5.el6.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package

  1. References:

https://www.redhat.com/security/data/cve/CVE-2011-2166.html https://www.redhat.com/security/data/cve/CVE-2011-2167.html https://www.redhat.com/security/data/cve/CVE-2011-4318.html https://access.redhat.com/security/updates/classification/#low

  1. Contact:

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFRJcMBXlSAg2UNWIIRAsLkAKCVzudrg6y2jNbVu8TARQH65FPliACgpPzA 3cvEfHEUoK/fdUBZNDEuZqU= =9rAE -----END PGP SIGNATURE-----

-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-04


                                        http://security.gentoo.org/

Severity: High Title: Dovecot: Multiple vulnerabilities Date: October 10, 2011 Bugs: #286844, #293954, #314533, #368653 ID: 201110-04


Synopsis

Multiple vulnerabilities were found in Dovecot, the worst of which allowing for remote execution of arbitrary code. Please review the CVE identifiers referenced below for details.

Impact

A remote attacker could exploit these vulnerabilities to cause the remote execution of arbitrary code, or a Denial of Service condition, to conduct directory traversal attacks, corrupt data, or disclose information.

Workaround

There is no known workaround at this time.

Resolution

All Dovecot 1 users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/dovecot-1.2.17"

All Dovecot 2 users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.0.13"

NOTE: This is a legacy GLSA. Updates for all affected architectures are available since May 28, 2011. It is likely that your system is already no longer affected by this issue.

References

[ 1 ] CVE-2009-3235 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3235 [ 2 ] CVE-2009-3897 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897 [ 3 ] CVE-2010-0745 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0745 [ 4 ] CVE-2010-3304 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3304 [ 5 ] CVE-2010-3706 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3706 [ 6 ] CVE-2010-3707 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3707 [ 7 ] CVE-2010-3779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3779 [ 8 ] CVE-2010-3780 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3780 [ 9 ] CVE-2011-1929 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1929 [ 10 ] CVE-2011-2166 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2166 [ 11 ] CVE-2011-2167 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2167

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201110-04.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Show details on source website


{
   "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
      affected_products: {
         "@id": "https://www.variotdbs.pl/ref/affected_products",
      },
      configurations: {
         "@id": "https://www.variotdbs.pl/ref/configurations",
      },
      credits: {
         "@id": "https://www.variotdbs.pl/ref/credits",
      },
      cvss: {
         "@id": "https://www.variotdbs.pl/ref/cvss/",
      },
      description: {
         "@id": "https://www.variotdbs.pl/ref/description/",
      },
      exploit_availability: {
         "@id": "https://www.variotdbs.pl/ref/exploit_availability/",
      },
      external_ids: {
         "@id": "https://www.variotdbs.pl/ref/external_ids/",
      },
      iot: {
         "@id": "https://www.variotdbs.pl/ref/iot/",
      },
      iot_taxonomy: {
         "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/",
      },
      patch: {
         "@id": "https://www.variotdbs.pl/ref/patch/",
      },
      problemtype_data: {
         "@id": "https://www.variotdbs.pl/ref/problemtype_data/",
      },
      references: {
         "@id": "https://www.variotdbs.pl/ref/references/",
      },
      sources: {
         "@id": "https://www.variotdbs.pl/ref/sources/",
      },
      sources_release_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_release_date/",
      },
      sources_update_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_update_date/",
      },
      threat_type: {
         "@id": "https://www.variotdbs.pl/ref/threat_type/",
      },
      title: {
         "@id": "https://www.variotdbs.pl/ref/title/",
      },
      type: {
         "@id": "https://www.variotdbs.pl/ref/type/",
      },
   },
   "@id": "https://www.variotdbs.pl/vuln/VAR-201105-0289",
   affected_products: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.9,
            vendor: "dovecot",
            version: "2.0.12",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.9,
            vendor: "dovecot",
            version: "2.0.3",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.9,
            vendor: "dovecot",
            version: "2.0.5",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.9,
            vendor: "dovecot",
            version: "2.0.0",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.9,
            vendor: "dovecot",
            version: "2.0.1",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.9,
            vendor: "dovecot",
            version: "2.0.2",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.9,
            vendor: "dovecot",
            version: "2.0.4",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.6,
            vendor: "dovecot",
            version: "2.0.8",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.6,
            vendor: "dovecot",
            version: "2.0.7",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1.6,
            vendor: "dovecot",
            version: "2.0.9",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1,
            vendor: "dovecot",
            version: "2.0.11",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1,
            vendor: "dovecot",
            version: "2.0.10",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 1,
            vendor: "dovecot",
            version: "2.0.6",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.8,
            vendor: "timo sirainen",
            version: "2.0.13",
         },
         {
            model: "dovecot",
            scope: "lt",
            trust: 0.8,
            vendor: "timo sirainen",
            version: "2.0.x",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.6,
            vendor: "dovecot",
            version: "2.0.x",
         },
         {
            model: "dovecot",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "2.0",
         },
         {
            model: "enterprise linux",
            scope: "eq",
            trust: 0.3,
            vendor: "oracle",
            version: "6.2",
         },
         {
            model: "linux",
            scope: null,
            trust: 0.3,
            vendor: "gentoo",
            version: null,
         },
         {
            model: "enterprise linux",
            scope: "eq",
            trust: 0.3,
            vendor: "oracle",
            version: "6",
         },
         {
            model: "beta1",
            scope: "eq",
            trust: 0.3,
            vendor: "dovecot",
            version: "2.0",
         },
         {
            model: "dovecot",
            scope: "ne",
            trust: 0.3,
            vendor: "dovecot",
            version: "2.0.13",
         },
         {
            model: "centos",
            scope: "eq",
            trust: 0.3,
            vendor: "centos",
            version: "6",
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-2131",
         },
         {
            db: "BID",
            id: "48003",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-004653",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-251",
         },
         {
            db: "NVD",
            id: "CVE-2011-2166",
         },
      ],
   },
   configurations: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/configurations#",
         children: {
            "@container": "@list",
         },
         cpe_match: {
            "@container": "@list",
         },
         data: {
            "@container": "@list",
         },
         nodes: {
            "@container": "@list",
         },
      },
      data: [
         {
            CVE_data_version: "4.0",
            nodes: [
               {
                  cpe_match: [
                     {
                        cpe22Uri: "cpe:/a:dovecot:dovecot",
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2011-004653",
         },
      ],
   },
   credits: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/credits#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "Reported by the vendor.",
      sources: [
         {
            db: "BID",
            id: "48003",
         },
      ],
      trust: 0.3,
   },
   cve: "CVE-2011-2166",
   cvss: {
      "@context": {
         cvssV2: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2",
         },
         cvssV3: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/",
         },
         severity: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/cvss/severity#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            cvssV2: [
               {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "SINGLE",
                  author: "nvd@nist.gov",
                  availabilityImpact: "PARTIAL",
                  baseScore: 6.5,
                  confidentialityImpact: "PARTIAL",
                  exploitabilityScore: 8,
                  id: "CVE-2011-2166",
                  impactScore: 6.4,
                  integrityImpact: "PARTIAL",
                  severity: "MEDIUM",
                  trust: 1.8,
                  vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P",
                  version: "2.0",
               },
            ],
            cvssV3: [],
            severity: [
               {
                  author: "nvd@nist.gov",
                  id: "CVE-2011-2166",
                  trust: 1,
                  value: "MEDIUM",
               },
               {
                  author: "NVD",
                  id: "CVE-2011-2166",
                  trust: 0.8,
                  value: "Medium",
               },
               {
                  author: "CNNVD",
                  id: "CNNVD-201105-251",
                  trust: 0.6,
                  value: "MEDIUM",
               },
            ],
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2011-004653",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-251",
         },
         {
            db: "NVD",
            id: "CVE-2011-2166",
         },
      ],
   },
   description: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/description#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script. Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems. Dovecot is prone to multiple security-bypass vulnerabilities because it fails to properly implement certain configuration settings. \nAuthenticated attackers can exploit these issues to bypass certain security restrictions and perform unauthorized actions. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n                   Red Hat Security Advisory\n\nSynopsis:          Low: dovecot security and bug fix update\nAdvisory ID:       RHSA-2013:0520-02\nProduct:           Red Hat Enterprise Linux\nAdvisory URL:      https://rhn.redhat.com/errata/RHSA-2013-0520.html\nIssue date:        2013-02-21\nCVE Names:         CVE-2011-2166 CVE-2011-2167 CVE-2011-4318 \n=====================================================================\n\n1. Summary:\n\nUpdated dovecot packages that fix three security issues and one bug are now\navailable for Red Hat Enterprise Linux 6. \n\nThe Red Hat Security Response Team has rated this update as having low\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 6) - i386, x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64\n\n3. It\nsupports mail in either of maildir or mbox formats. The SQL drivers and\nauthentication plug-ins are provided as sub-packages. \n\nTwo flaws were found in the way some settings were enforced by the\nscript-login functionality of Dovecot. (CVE-2011-2166,\nCVE-2011-2167)\n\nA flaw was found in the way Dovecot performed remote server identity\nverification, when it was configured to proxy IMAP and POP3 connections to\nremote hosts using TLS/SSL protocols. A remote attacker could use this flaw\nto conduct man-in-the-middle attacks using an X.509 certificate issued by\na trusted Certificate Authority (for a different name). (CVE-2011-4318)\n\nThis update also fixes the following bug:\n\n* When a new user first accessed their IMAP inbox, Dovecot was, under some\ncircumstances, unable to change the group ownership of the inbox directory\nin the user's Maildir location to match that of the user's mail spool\n(/var/mail/$USER). This correctly generated an \"Internal error occurred\"\nmessage. However, with a subsequent attempt to access the inbox, Dovecot\nsaw that the directory already existed and proceeded with its operation,\nleaving the directory with incorrectly set permissions. This update\ncorrects the underlying permissions setting error. When a new user now\naccesses their inbox for the first time, and it is not possible to set\ngroup ownership, Dovecot removes the created directory and generates an\nerror message instead of keeping the directory with incorrect group\nownership. (BZ#697620)\n\nUsers of dovecot are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, the dovecot service will be restarted automatically. \n\n4. Solution:\n\nBefore applying this update, make sure all previously-released errata\nrelevant to your system have been applied. \n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258\n\n5. Package List:\n\nRed Hat Enterprise Linux Server (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm\n\ni386:\ndovecot-2.0.9-5.el6.i686.rpm\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-mysql-2.0.9-5.el6.i686.rpm\ndovecot-pgsql-2.0.9-5.el6.i686.rpm\ndovecot-pigeonhole-2.0.9-5.el6.i686.rpm\n\nppc64:\ndovecot-2.0.9-5.el6.ppc.rpm\ndovecot-2.0.9-5.el6.ppc64.rpm\ndovecot-debuginfo-2.0.9-5.el6.ppc.rpm\ndovecot-debuginfo-2.0.9-5.el6.ppc64.rpm\ndovecot-mysql-2.0.9-5.el6.ppc64.rpm\ndovecot-pgsql-2.0.9-5.el6.ppc64.rpm\ndovecot-pigeonhole-2.0.9-5.el6.ppc64.rpm\n\ns390x:\ndovecot-2.0.9-5.el6.s390.rpm\ndovecot-2.0.9-5.el6.s390x.rpm\ndovecot-debuginfo-2.0.9-5.el6.s390.rpm\ndovecot-debuginfo-2.0.9-5.el6.s390x.rpm\ndovecot-mysql-2.0.9-5.el6.s390x.rpm\ndovecot-pgsql-2.0.9-5.el6.s390x.rpm\ndovecot-pigeonhole-2.0.9-5.el6.s390x.rpm\n\nx86_64:\ndovecot-2.0.9-5.el6.i686.rpm\ndovecot-2.0.9-5.el6.x86_64.rpm\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-debuginfo-2.0.9-5.el6.x86_64.rpm\ndovecot-mysql-2.0.9-5.el6.x86_64.rpm\ndovecot-pgsql-2.0.9-5.el6.x86_64.rpm\ndovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm\n\ni386:\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-devel-2.0.9-5.el6.i686.rpm\n\nppc64:\ndovecot-debuginfo-2.0.9-5.el6.ppc64.rpm\ndovecot-devel-2.0.9-5.el6.ppc64.rpm\n\ns390x:\ndovecot-debuginfo-2.0.9-5.el6.s390x.rpm\ndovecot-devel-2.0.9-5.el6.s390x.rpm\n\nx86_64:\ndovecot-debuginfo-2.0.9-5.el6.x86_64.rpm\ndovecot-devel-2.0.9-5.el6.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm\n\ni386:\ndovecot-2.0.9-5.el6.i686.rpm\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-mysql-2.0.9-5.el6.i686.rpm\ndovecot-pgsql-2.0.9-5.el6.i686.rpm\ndovecot-pigeonhole-2.0.9-5.el6.i686.rpm\n\nx86_64:\ndovecot-2.0.9-5.el6.i686.rpm\ndovecot-2.0.9-5.el6.x86_64.rpm\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-debuginfo-2.0.9-5.el6.x86_64.rpm\ndovecot-mysql-2.0.9-5.el6.x86_64.rpm\ndovecot-pgsql-2.0.9-5.el6.x86_64.rpm\ndovecot-pigeonhole-2.0.9-5.el6.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 6):\n\nSource:\nftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/dovecot-2.0.9-5.el6.src.rpm\n\ni386:\ndovecot-debuginfo-2.0.9-5.el6.i686.rpm\ndovecot-devel-2.0.9-5.el6.i686.rpm\n\nx86_64:\ndovecot-debuginfo-2.0.9-5.el6.x86_64.rpm\ndovecot-devel-2.0.9-5.el6.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security.  Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/#package\n\n7. References:\n\nhttps://www.redhat.com/security/data/cve/CVE-2011-2166.html\nhttps://www.redhat.com/security/data/cve/CVE-2011-2167.html\nhttps://www.redhat.com/security/data/cve/CVE-2011-4318.html\nhttps://access.redhat.com/security/updates/classification/#low\n\n8. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>.  More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2013 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.4 (GNU/Linux)\n\niD8DBQFRJcMBXlSAg2UNWIIRAsLkAKCVzudrg6y2jNbVu8TARQH65FPliACgpPzA\n3cvEfHEUoK/fdUBZNDEuZqU=\n=9rAE\n-----END PGP SIGNATURE-----\n\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory                           GLSA 201110-04\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n                                            http://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: High\n    Title: Dovecot: Multiple vulnerabilities\n     Date: October 10, 2011\n     Bugs: #286844, #293954, #314533, #368653\n       ID: 201110-04\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities were found in Dovecot, the worst of which\nallowing for remote execution of arbitrary code. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nA remote attacker could exploit these vulnerabilities to cause the\nremote execution of arbitrary code, or a Denial of Service condition,\nto conduct directory traversal attacks, corrupt data, or disclose\ninformation. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll Dovecot 1 users should upgrade to the latest version:\n\n  # emerge --sync\n  # emerge --ask --oneshot --verbose \">=net-mail/dovecot-1.2.17\"\n\nAll Dovecot 2 users should upgrade to the latest version:\n\n  # emerge --sync\n  # emerge --ask --oneshot --verbose \">=net-mail/dovecot-2.0.13\"\n\nNOTE: This is a legacy GLSA. Updates for all affected architectures are\navailable since May 28, 2011. It is likely that your system is already\nno longer affected by this issue. \n\nReferences\n==========\n\n[  1 ] CVE-2009-3235\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3235\n[  2 ] CVE-2009-3897\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897\n[  3 ] CVE-2010-0745\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0745\n[  4 ] CVE-2010-3304\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3304\n[  5 ] CVE-2010-3706\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3706\n[  6 ] CVE-2010-3707\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3707\n[  7 ] CVE-2010-3779\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3779\n[  8 ] CVE-2010-3780\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3780\n[  9 ] CVE-2011-1929\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1929\n[ 10 ] CVE-2011-2166\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2166\n[ 11 ] CVE-2011-2167\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2167\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n http://security.gentoo.org/glsa/glsa-201110-04.xml\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users' machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2011 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n\n\n\n",
      sources: [
         {
            db: "NVD",
            id: "CVE-2011-2166",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-004653",
         },
         {
            db: "CNVD",
            id: "CNVD-2011-2131",
         },
         {
            db: "BID",
            id: "48003",
         },
         {
            db: "PACKETSTORM",
            id: "120446",
         },
         {
            db: "PACKETSTORM",
            id: "105652",
         },
      ],
      trust: 2.61,
   },
   external_ids: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            db: "NVD",
            id: "CVE-2011-2166",
            trust: 3.5,
         },
         {
            db: "OPENWALL",
            id: "OSS-SECURITY/2011/05/18/4",
            trust: 1.6,
         },
         {
            db: "BID",
            id: "48003",
            trust: 1.3,
         },
         {
            db: "SECUNIA",
            id: "52311",
            trust: 1,
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-004653",
            trust: 0.8,
         },
         {
            db: "CNVD",
            id: "CNVD-2011-2131",
            trust: 0.6,
         },
         {
            db: "MLIST",
            id: "[DOVECOT] 20110511 V2.0.13 RELEASED",
            trust: 0.6,
         },
         {
            db: "MLIST",
            id: "[OSS-SECURITY] 20110518 DOVECOT RELEASES",
            trust: 0.6,
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-251",
            trust: 0.6,
         },
         {
            db: "PACKETSTORM",
            id: "120446",
            trust: 0.1,
         },
         {
            db: "PACKETSTORM",
            id: "105652",
            trust: 0.1,
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-2131",
         },
         {
            db: "BID",
            id: "48003",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-004653",
         },
         {
            db: "PACKETSTORM",
            id: "120446",
         },
         {
            db: "PACKETSTORM",
            id: "105652",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-251",
         },
         {
            db: "NVD",
            id: "CVE-2011-2166",
         },
      ],
   },
   id: "VAR-201105-0289",
   iot: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/iot#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: true,
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-2131",
         },
      ],
      trust: 0.06,
   },
   iot_taxonomy: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            category: [
               "Network device",
            ],
            sub_category: null,
            trust: 0.6,
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-2131",
         },
      ],
   },
   last_update_date: "2024-11-23T21:31:43.967000Z",
   patch: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/patch#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            title: "NEWS-2.0",
            trust: 0.8,
            url: "http://www.dovecot.org/doc/NEWS-2.0",
         },
         {
            title: "Dovecot configuration error vulnerability patch",
            trust: 0.6,
            url: "https://www.cnvd.org.cn/patchInfo/show/4011",
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-2131",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-004653",
         },
      ],
   },
   problemtype_data: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            problemtype: "CWE-16",
            trust: 1.8,
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2011-004653",
         },
         {
            db: "NVD",
            id: "CVE-2011-2166",
         },
      ],
   },
   references: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/references#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            trust: 2.5,
            url: "http://dovecot.org/pipermail/dovecot/2011-may/059085.html",
         },
         {
            trust: 1.6,
            url: "http://www.dovecot.org/doc/news-2.0",
         },
         {
            trust: 1.6,
            url: "http://openwall.com/lists/oss-security/2011/05/18/4",
         },
         {
            trust: 1.1,
            url: "http://rhn.redhat.com/errata/rhsa-2013-0520.html",
         },
         {
            trust: 1,
            url: "http://secunia.com/advisories/52311",
         },
         {
            trust: 1,
            url: "http://www.securityfocus.com/bid/48003",
         },
         {
            trust: 1,
            url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/67675",
         },
         {
            trust: 0.8,
            url: "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-2166",
         },
         {
            trust: 0.8,
            url: "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-2166",
         },
         {
            trust: 0.3,
            url: "http://www.dovecot.org/",
         },
         {
            trust: 0.1,
            url: "https://www.redhat.com/mailman/listinfo/rhsa-announce",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2011-2166",
         },
         {
            trust: 0.1,
            url: "https://access.redhat.com/security/updates/classification/#low",
         },
         {
            trust: 0.1,
            url: "https://www.redhat.com/security/data/cve/cve-2011-4318.html",
         },
         {
            trust: 0.1,
            url: "https://access.redhat.com/security/team/contact/",
         },
         {
            trust: 0.1,
            url: "https://www.redhat.com/security/data/cve/cve-2011-2166.html",
         },
         {
            trust: 0.1,
            url: "https://www.redhat.com/security/data/cve/cve-2011-2167.html",
         },
         {
            trust: 0.1,
            url: "https://access.redhat.com/security/team/key/#package",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2011-4318",
         },
         {
            trust: 0.1,
            url: "http://bugzilla.redhat.com/):",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2011-2167",
         },
         {
            trust: 0.1,
            url: "https://access.redhat.com/knowledge/articles/11258",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-1929",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3304",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3706",
         },
         {
            trust: 0.1,
            url: "http://creativecommons.org/licenses/by-sa/2.5",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-0745",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2009-3897",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3779",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-2167",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3707",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2009-3897",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-3780",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-2166",
         },
         {
            trust: 0.1,
            url: "http://security.gentoo.org/",
         },
         {
            trust: 0.1,
            url: "https://bugs.gentoo.org.",
         },
         {
            trust: 0.1,
            url: "http://nvd.nist.gov/nvd.cfm?cvename=cve-2009-3235",
         },
         {
            trust: 0.1,
            url: "http://security.gentoo.org/glsa/glsa-201110-04.xml",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2009-3235",
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-2131",
         },
         {
            db: "BID",
            id: "48003",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-004653",
         },
         {
            db: "PACKETSTORM",
            id: "120446",
         },
         {
            db: "PACKETSTORM",
            id: "105652",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-251",
         },
         {
            db: "NVD",
            id: "CVE-2011-2166",
         },
      ],
   },
   sources: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            db: "CNVD",
            id: "CNVD-2011-2131",
         },
         {
            db: "BID",
            id: "48003",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-004653",
         },
         {
            db: "PACKETSTORM",
            id: "120446",
         },
         {
            db: "PACKETSTORM",
            id: "105652",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-251",
         },
         {
            db: "NVD",
            id: "CVE-2011-2166",
         },
      ],
   },
   sources_release_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2011-06-05T00:00:00",
            db: "CNVD",
            id: "CNVD-2011-2131",
         },
         {
            date: "2011-05-26T00:00:00",
            db: "BID",
            id: "48003",
         },
         {
            date: "2012-03-27T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2011-004653",
         },
         {
            date: "2013-02-21T16:28:44",
            db: "PACKETSTORM",
            id: "120446",
         },
         {
            date: "2011-10-10T22:42:12",
            db: "PACKETSTORM",
            id: "105652",
         },
         {
            date: "2011-05-25T00:00:00",
            db: "CNNVD",
            id: "CNNVD-201105-251",
         },
         {
            date: "2011-05-24T23:55:04.433000",
            db: "NVD",
            id: "CVE-2011-2166",
         },
      ],
   },
   sources_update_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2011-06-05T00:00:00",
            db: "CNVD",
            id: "CNVD-2011-2131",
         },
         {
            date: "2013-03-11T06:54:00",
            db: "BID",
            id: "48003",
         },
         {
            date: "2012-03-27T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2011-004653",
         },
         {
            date: "2011-05-26T00:00:00",
            db: "CNNVD",
            id: "CNNVD-201105-251",
         },
         {
            date: "2024-11-21T01:27:44.050000",
            db: "NVD",
            id: "CVE-2011-2166",
         },
      ],
   },
   threat_type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "remote",
      sources: [
         {
            db: "PACKETSTORM",
            id: "120446",
         },
         {
            db: "PACKETSTORM",
            id: "105652",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201105-251",
         },
      ],
      trust: 0.8,
   },
   title: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/title#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "Dovecot of  script-login Vulnerable to access restrictions",
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2011-004653",
         },
      ],
      trust: 0.8,
   },
   type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "configuration error",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-201105-251",
         },
      ],
      trust: 0.6,
   },
}

var-201803-1087
Vulnerability from variot

A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart. dovecot Contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Dovecot is an open source IMAP and POP3 mail server based on Linux/UNIX-like systems. ========================================================================== Ubuntu Security Notice USN-3587-2 April 02, 2018

dovecot vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in Dovecot. This update provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that Dovecot incorrectly handled parsing certain email addresses. (CVE-2017-14461)

It was discovered that Dovecot incorrectly handled TLS SNI config lookups. A remote attacker could possibly use this issue to cause Dovecot to crash, resulting in a denial of service. (CVE-2017-15130)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04 ESM: dovecot-core 1:2.0.19-0ubuntu2.5

In general, a standard system update will make all the necessary changes.

References: https://usn.ubuntu.com/usn/usn-3587-2 https://usn.ubuntu.com/usn/usn-3587-1 CVE-2017-14461, CVE-2017-15130 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512


Debian Security Advisory DSA-4130-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 02, 2018 https://www.debian.org/security/faq


Package : dovecot CVE ID : CVE-2017-14461 CVE-2017-15130 CVE-2017-15132 Debian Bug : 888432 891819 891820

Several vulnerabilities have been discovered in the Dovecot email server. The Common Vulnerabilities and Exposures project identifies the following issues:

CVE-2017-14461

Aleksandar Nikolic of Cisco Talos and 'flxflndy' discovered that
Dovecot does not properly parse invalid email addresses, which may
cause a crash or leak memory contents to an attacker. Only
Dovecot configurations containing local_name { } or local { }
configuration blocks are affected.

CVE-2017-15132

It was discovered that Dovecot contains a memory leak flaw in the
login process on aborted SASL authentication.

For the oldstable distribution (jessie), these problems have been fixed in version 1:2.2.13-12~deb8u4.

For the stable distribution (stretch), these problems have been fixed in version 1:2.2.27-3+deb9u2.

We recommend that you upgrade your dovecot packages.

For the detailed security status of dovecot please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dovecot

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqZzelfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T8fg/+KmUzgEXDQFSnWOmSt+8GXFB08C2XtXmopMuej/1tjkZZ7B04vXfkgYZ9 u7zICbM56VrTmnXOYnLuXjqLrzGO0Y9jX+Z5G4BSw0TgP+g6ME72ZvqxuE4IKQqi QlaKTX86B1AMpzvkLrhwXlArJDr7pJzOonFJds6rKtVA4OvY4/fAAWrH89BFchet VwdO5rngcd/qnAYVOZglTMfgVlzxvenx+0fbQ6JFS6T8ODOFSsnwth64u3KY8yYj 4PGTBqX4m+2S2q2qGinueBgHNUV4RK71Zw1QYDa2gMBQR3HtlMnDhmQ4uYCvKP04 Z1GJYX6dMxMSWPKC2WecrdCSV+QAdMlYypKbhqcLA4LHcdPR+v35oQT4X/SYd2WS Zf50KMYUm9Q3YiOHVDrJo+o21hX4g8hRw1wdewZz+wyQ1n1TOlVtRh4vmACKRzNx 7bUayEvVU3q3VQd+dDH2Bl+TBiO7RB5/b2pHp8vHwAlVX00jYSSnoLUKT0L4BQ54 +1DZ8j88OFKDxTgOsbk19rhfraY7iejAjHZDVnJBwC/tB9REG6DOrDIG4OJqTKw4 sP1JaHryOGXzOf/8h61rY5HAuwofGkAZN7S+Bel0+zGYJvIcSyxpBKvJB/0TDNjm E5KphLFG9RGVmdeVkQzG6tGUMnMXxFrAD5U3hlzUsNGLLA+RE78= =Yh09 -----END PGP SIGNATURE-----

Show details on source website


{
   "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
      affected_products: {
         "@id": "https://www.variotdbs.pl/ref/affected_products",
      },
      configurations: {
         "@id": "https://www.variotdbs.pl/ref/configurations",
      },
      credits: {
         "@id": "https://www.variotdbs.pl/ref/credits",
      },
      cvss: {
         "@id": "https://www.variotdbs.pl/ref/cvss/",
      },
      description: {
         "@id": "https://www.variotdbs.pl/ref/description/",
      },
      exploit_availability: {
         "@id": "https://www.variotdbs.pl/ref/exploit_availability/",
      },
      external_ids: {
         "@id": "https://www.variotdbs.pl/ref/external_ids/",
      },
      iot: {
         "@id": "https://www.variotdbs.pl/ref/iot/",
      },
      iot_taxonomy: {
         "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/",
      },
      patch: {
         "@id": "https://www.variotdbs.pl/ref/patch/",
      },
      problemtype_data: {
         "@id": "https://www.variotdbs.pl/ref/problemtype_data/",
      },
      references: {
         "@id": "https://www.variotdbs.pl/ref/references/",
      },
      sources: {
         "@id": "https://www.variotdbs.pl/ref/sources/",
      },
      sources_release_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_release_date/",
      },
      sources_update_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_update_date/",
      },
      threat_type: {
         "@id": "https://www.variotdbs.pl/ref/threat_type/",
      },
      title: {
         "@id": "https://www.variotdbs.pl/ref/title/",
      },
      type: {
         "@id": "https://www.variotdbs.pl/ref/type/",
      },
   },
   "@id": "https://www.variotdbs.pl/vuln/VAR-201803-1087",
   affected_products: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            model: "dovecot",
            scope: "lt",
            trust: 1.6,
            vendor: "dovecot",
            version: "2.2.34",
         },
         {
            model: "ubuntu linux",
            scope: "eq",
            trust: 1.6,
            vendor: "canonical",
            version: "17.10",
         },
         {
            model: "linux",
            scope: "eq",
            trust: 1,
            vendor: "debian",
            version: "8.0",
         },
         {
            model: "ubuntu linux",
            scope: "eq",
            trust: 1,
            vendor: "canonical",
            version: "14.04",
         },
         {
            model: "linux",
            scope: "eq",
            trust: 1,
            vendor: "debian",
            version: "9.0",
         },
         {
            model: "ubuntu linux",
            scope: "eq",
            trust: 1,
            vendor: "canonical",
            version: "16.04",
         },
         {
            model: "ubuntu",
            scope: null,
            trust: 0.8,
            vendor: "canonical",
            version: null,
         },
         {
            model: "gnu/linux",
            scope: null,
            trust: 0.8,
            vendor: "debian",
            version: null,
         },
         {
            model: "dovecot",
            scope: "lt",
            trust: 0.8,
            vendor: "timo sirainen",
            version: "2.2.34",
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2018-05070",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2017-012758",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201803-092",
         },
         {
            db: "NVD",
            id: "CVE-2017-15130",
         },
      ],
   },
   configurations: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/configurations#",
         children: {
            "@container": "@list",
         },
         cpe_match: {
            "@container": "@list",
         },
         data: {
            "@container": "@list",
         },
         nodes: {
            "@container": "@list",
         },
      },
      data: [
         {
            CVE_data_version: "4.0",
            nodes: [
               {
                  cpe_match: [
                     {
                        cpe22Uri: "cpe:/o:canonical:ubuntu",
                        vulnerable: true,
                     },
                     {
                        cpe22Uri: "cpe:/o:debian:debian_linux",
                        vulnerable: true,
                     },
                     {
                        cpe22Uri: "cpe:/a:dovecot:dovecot",
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2017-012758",
         },
      ],
   },
   credits: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/credits#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "Ubuntu",
      sources: [
         {
            db: "PACKETSTORM",
            id: "147005",
         },
         {
            db: "PACKETSTORM",
            id: "146647",
         },
      ],
      trust: 0.2,
   },
   cve: "CVE-2017-15130",
   cvss: {
      "@context": {
         cvssV2: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2",
         },
         cvssV3: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/",
         },
         severity: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/cvss/severity#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            cvssV2: [
               {
                  accessComplexity: "MEDIUM",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  author: "nvd@nist.gov",
                  availabilityImpact: "PARTIAL",
                  baseScore: 4.3,
                  confidentialityImpact: "NONE",
                  exploitabilityScore: 8.6,
                  id: "CVE-2017-15130",
                  impactScore: 2.9,
                  integrityImpact: "NONE",
                  severity: "MEDIUM",
                  trust: 1.8,
                  vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P",
                  version: "2.0",
               },
               {
                  accessComplexity: "HIGH",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  author: "CNVD",
                  availabilityImpact: "PARTIAL",
                  baseScore: 2.6,
                  confidentialityImpact: "NONE",
                  exploitabilityScore: 4.9,
                  id: "CNVD-2018-05070",
                  impactScore: 2.9,
                  integrityImpact: "NONE",
                  severity: "LOW",
                  trust: 0.6,
                  vectorString: "AV:N/AC:H/Au:N/C:N/I:N/A:P",
                  version: "2.0",
               },
            ],
            cvssV3: [
               {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  author: "nvd@nist.gov",
                  availabilityImpact: "HIGH",
                  baseScore: 5.9,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  exploitabilityScore: 2.2,
                  id: "CVE-2017-15130",
                  impactScore: 3.6,
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  trust: 1.8,
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.0",
               },
            ],
            severity: [
               {
                  author: "nvd@nist.gov",
                  id: "CVE-2017-15130",
                  trust: 1,
                  value: "MEDIUM",
               },
               {
                  author: "NVD",
                  id: "CVE-2017-15130",
                  trust: 0.8,
                  value: "Medium",
               },
               {
                  author: "CNVD",
                  id: "CNVD-2018-05070",
                  trust: 0.6,
                  value: "LOW",
               },
               {
                  author: "CNNVD",
                  id: "CNNVD-201803-092",
                  trust: 0.6,
                  value: "MEDIUM",
               },
            ],
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2018-05070",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2017-012758",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201803-092",
         },
         {
            db: "NVD",
            id: "CVE-2017-15130",
         },
      ],
   },
   description: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/description#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart. dovecot Contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Dovecot is an open source IMAP and POP3 mail server based on Linux/UNIX-like systems. ==========================================================================\nUbuntu Security Notice USN-3587-2\nApril 02, 2018\n\ndovecot vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 12.04 ESM\n\nSummary:\n\nSeveral security issues were fixed in Dovecot. This update provides\nthe corresponding update for Ubuntu 12.04 ESM. \n\nOriginal advisory details:\n\n It was discovered that Dovecot incorrectly handled parsing certain\n email addresses. (CVE-2017-14461)\n\n It was discovered that Dovecot incorrectly handled TLS SNI config\n lookups. A remote attacker could possibly use this issue to cause\n Dovecot to crash, resulting in a denial of service. (CVE-2017-15130)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 12.04 ESM:\n  dovecot-core                    1:2.0.19-0ubuntu2.5\n\nIn general, a standard system update will make all the necessary\nchanges. \n\nReferences:\n  https://usn.ubuntu.com/usn/usn-3587-2\n  https://usn.ubuntu.com/usn/usn-3587-1\n  CVE-2017-14461, CVE-2017-15130\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4130-1                   security@debian.org\nhttps://www.debian.org/security/                     Salvatore Bonaccorso\nMarch 02, 2018                        https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage        : dovecot\nCVE ID         : CVE-2017-14461 CVE-2017-15130 CVE-2017-15132\nDebian Bug     : 888432 891819 891820\n\nSeveral vulnerabilities have been discovered in the Dovecot email\nserver. The Common Vulnerabilities and Exposures project identifies the\nfollowing issues:\n\nCVE-2017-14461\n\n    Aleksandar Nikolic of Cisco Talos and 'flxflndy' discovered that\n    Dovecot does not properly parse invalid email addresses, which may\n    cause a crash or leak memory contents to an attacker. Only\n    Dovecot configurations containing local_name { } or local { }\n    configuration blocks are affected. \n\nCVE-2017-15132\n\n    It was discovered that Dovecot contains a memory leak flaw in the\n    login process on aborted SASL authentication. \n\nFor the oldstable distribution (jessie), these problems have been fixed\nin version 1:2.2.13-12~deb8u4. \n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 1:2.2.27-3+deb9u2. \n\nWe recommend that you upgrade your dovecot packages. \n\nFor the detailed security status of dovecot please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/dovecot\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqZzelfFIAAAAAALgAo\naXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2\nNDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND\nz0T8fg/+KmUzgEXDQFSnWOmSt+8GXFB08C2XtXmopMuej/1tjkZZ7B04vXfkgYZ9\nu7zICbM56VrTmnXOYnLuXjqLrzGO0Y9jX+Z5G4BSw0TgP+g6ME72ZvqxuE4IKQqi\nQlaKTX86B1AMpzvkLrhwXlArJDr7pJzOonFJds6rKtVA4OvY4/fAAWrH89BFchet\nVwdO5rngcd/qnAYVOZglTMfgVlzxvenx+0fbQ6JFS6T8ODOFSsnwth64u3KY8yYj\n4PGTBqX4m+2S2q2qGinueBgHNUV4RK71Zw1QYDa2gMBQR3HtlMnDhmQ4uYCvKP04\nZ1GJYX6dMxMSWPKC2WecrdCSV+QAdMlYypKbhqcLA4LHcdPR+v35oQT4X/SYd2WS\nZf50KMYUm9Q3YiOHVDrJo+o21hX4g8hRw1wdewZz+wyQ1n1TOlVtRh4vmACKRzNx\n7bUayEvVU3q3VQd+dDH2Bl+TBiO7RB5/b2pHp8vHwAlVX00jYSSnoLUKT0L4BQ54\n+1DZ8j88OFKDxTgOsbk19rhfraY7iejAjHZDVnJBwC/tB9REG6DOrDIG4OJqTKw4\nsP1JaHryOGXzOf/8h61rY5HAuwofGkAZN7S+Bel0+zGYJvIcSyxpBKvJB/0TDNjm\nE5KphLFG9RGVmdeVkQzG6tGUMnMXxFrAD5U3hlzUsNGLLA+RE78=\n=Yh09\n-----END PGP SIGNATURE-----\n",
      sources: [
         {
            db: "NVD",
            id: "CVE-2017-15130",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2017-012758",
         },
         {
            db: "CNVD",
            id: "CNVD-2018-05070",
         },
         {
            db: "PACKETSTORM",
            id: "147005",
         },
         {
            db: "PACKETSTORM",
            id: "146647",
         },
         {
            db: "PACKETSTORM",
            id: "146656",
         },
      ],
      trust: 2.43,
   },
   external_ids: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            db: "NVD",
            id: "CVE-2017-15130",
            trust: 3.3,
         },
         {
            db: "JVNDB",
            id: "JVNDB-2017-012758",
            trust: 0.8,
         },
         {
            db: "CNVD",
            id: "CNVD-2018-05070",
            trust: 0.6,
         },
         {
            db: "CNNVD",
            id: "CNNVD-201803-092",
            trust: 0.6,
         },
         {
            db: "PACKETSTORM",
            id: "147005",
            trust: 0.1,
         },
         {
            db: "PACKETSTORM",
            id: "146647",
            trust: 0.1,
         },
         {
            db: "PACKETSTORM",
            id: "146656",
            trust: 0.1,
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2018-05070",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2017-012758",
         },
         {
            db: "PACKETSTORM",
            id: "147005",
         },
         {
            db: "PACKETSTORM",
            id: "146647",
         },
         {
            db: "PACKETSTORM",
            id: "146656",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201803-092",
         },
         {
            db: "NVD",
            id: "CVE-2017-15130",
         },
      ],
   },
   id: "VAR-201803-1087",
   iot: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/iot#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: true,
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2018-05070",
         },
      ],
      trust: 0.06,
   },
   iot_taxonomy: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            category: [
               "Network device",
            ],
            sub_category: null,
            trust: 0.6,
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2018-05070",
         },
      ],
   },
   last_update_date: "2024-11-23T22:34:19.750000Z",
   patch: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/patch#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            title: "[SECURITY] [DLA 1333-1] dovecot security update",
            trust: 0.8,
            url: "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html",
         },
         {
            title: "DSA-4130",
            trust: 0.8,
            url: "https://www.debian.org/security/2018/dsa-4130",
         },
         {
            title: "[Dovecot-news] v2.2.34 released",
            trust: 0.8,
            url: "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html",
         },
         {
            title: "USN-3587-1",
            trust: 0.8,
            url: "https://usn.ubuntu.com/3587-1/",
         },
         {
            title: "USN-3587-2",
            trust: 0.8,
            url: "https://usn.ubuntu.com/3587-2/",
         },
         {
            title: "Patch for dovecot denial of service vulnerability (CNVD-2018-05070)",
            trust: 0.6,
            url: "https://www.cnvd.org.cn/patchInfo/show/121071",
         },
         {
            title: "Dovecot Security vulnerabilities",
            trust: 0.6,
            url: "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=78880",
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2018-05070",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2017-012758",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201803-092",
         },
      ],
   },
   problemtype_data: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            problemtype: "CWE-400",
            trust: 1,
         },
         {
            problemtype: "NVD-CWE-noinfo",
            trust: 1,
         },
         {
            problemtype: "CWE-399",
            trust: 0.8,
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2017-012758",
         },
         {
            db: "NVD",
            id: "CVE-2017-15130",
         },
      ],
   },
   references: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/references#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            trust: 1.7,
            url: "https://nvd.nist.gov/vuln/detail/cve-2017-15130",
         },
         {
            trust: 1.6,
            url: "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html",
         },
         {
            trust: 1.6,
            url: "https://usn.ubuntu.com/3587-2/",
         },
         {
            trust: 1.6,
            url: "https://www.debian.org/security/2018/dsa-4130",
         },
         {
            trust: 1.6,
            url: "https://usn.ubuntu.com/3587-1/",
         },
         {
            trust: 1.6,
            url: "http://seclists.org/oss-sec/2018/q1/205",
         },
         {
            trust: 1.6,
            url: "https://www.dovecot.org/list/dovecot-news/2018-february/000370.html",
         },
         {
            trust: 1.6,
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=1532356",
         },
         {
            trust: 0.8,
            url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-15130",
         },
         {
            trust: 0.3,
            url: "https://nvd.nist.gov/vuln/detail/cve-2017-14461",
         },
         {
            trust: 0.2,
            url: "https://usn.ubuntu.com/usn/usn-3587-1",
         },
         {
            trust: 0.1,
            url: "https://usn.ubuntu.com/usn/usn-3587-2",
         },
         {
            trust: 0.1,
            url: "https://launchpad.net/ubuntu/+source/dovecot/1:2.2.9-1ubuntu2.4",
         },
         {
            trust: 0.1,
            url: "https://launchpad.net/ubuntu/+source/dovecot/1:2.2.22-1ubuntu2.7",
         },
         {
            trust: 0.1,
            url: "https://launchpad.net/ubuntu/+source/dovecot/1:2.2.27-3ubuntu1.3",
         },
         {
            trust: 0.1,
            url: "https://www.debian.org/security/faq",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2017-15132",
         },
         {
            trust: 0.1,
            url: "https://www.debian.org/security/",
         },
         {
            trust: 0.1,
            url: "https://security-tracker.debian.org/tracker/dovecot",
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2018-05070",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2017-012758",
         },
         {
            db: "PACKETSTORM",
            id: "147005",
         },
         {
            db: "PACKETSTORM",
            id: "146647",
         },
         {
            db: "PACKETSTORM",
            id: "146656",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201803-092",
         },
         {
            db: "NVD",
            id: "CVE-2017-15130",
         },
      ],
   },
   sources: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            db: "CNVD",
            id: "CNVD-2018-05070",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2017-012758",
         },
         {
            db: "PACKETSTORM",
            id: "147005",
         },
         {
            db: "PACKETSTORM",
            id: "146647",
         },
         {
            db: "PACKETSTORM",
            id: "146656",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201803-092",
         },
         {
            db: "NVD",
            id: "CVE-2017-15130",
         },
      ],
   },
   sources_release_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2018-03-13T00:00:00",
            db: "CNVD",
            id: "CNVD-2018-05070",
         },
         {
            date: "2018-04-13T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2017-012758",
         },
         {
            date: "2018-04-02T16:54:55",
            db: "PACKETSTORM",
            id: "147005",
         },
         {
            date: "2018-03-05T22:23:00",
            db: "PACKETSTORM",
            id: "146647",
         },
         {
            date: "2018-03-05T23:45:22",
            db: "PACKETSTORM",
            id: "146656",
         },
         {
            date: "2018-03-07T00:00:00",
            db: "CNNVD",
            id: "CNNVD-201803-092",
         },
         {
            date: "2018-03-02T15:29:00.273000",
            db: "NVD",
            id: "CVE-2017-15130",
         },
      ],
   },
   sources_update_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2018-03-13T00:00:00",
            db: "CNVD",
            id: "CNVD-2018-05070",
         },
         {
            date: "2018-04-13T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2017-012758",
         },
         {
            date: "2019-10-23T00:00:00",
            db: "CNNVD",
            id: "CNNVD-201803-092",
         },
         {
            date: "2024-11-21T03:14:07.867000",
            db: "NVD",
            id: "CVE-2017-15130",
         },
      ],
   },
   threat_type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "remote",
      sources: [
         {
            db: "PACKETSTORM",
            id: "147005",
         },
         {
            db: "PACKETSTORM",
            id: "146647",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201803-092",
         },
      ],
      trust: 0.8,
   },
   title: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/title#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "dovecot Resource management vulnerability",
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2017-012758",
         },
      ],
      trust: 0.8,
   },
   type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "resource management error",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-201803-092",
         },
      ],
      trust: 0.6,
   },
}