Latest dovecot dovecot Vulnerabilities

CVE-2022-30550
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and me...
>=2.3<2.3.20
=2.2
=10.0
Dovecot Dovecot>=2.3<2.3.20
Dovecot Dovecot=2.2
Debian Debian Linux=10.0
CVE-2021-33515
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.
Dovecot Dovecot<2.3.14.1
Fedoraproject Fedora=33
Fedoraproject Fedora=34
Debian Debian Linux=10.0
CVE-2020-28200
The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.
Dovecot Dovecot<2.3.15
Fedoraproject Fedora=33
Fedoraproject Fedora=34
CVE-2021-29157
Dovecot Dovecot>=2.3.11<2.3.14.1
Fedoraproject Fedora=33
Fedoraproject Fedora=34
CVE-2020-24386
Dovecot Dovecot>=2.2.26<2.3.13
Debian Debian Linux=10.0
Fedoraproject Fedora=32
debian/dovecot
CVE-2020-25275
Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.
Dovecot Dovecot<2.3.13
Debian Debian Linux=10.0
Fedoraproject Fedora=32
debian/dovecot
CVE-2020-12674
In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.
ubuntu/dovecot<2.3.11
ubuntu/dovecot<1:2.2.33.2-1ubuntu4.6
ubuntu/dovecot<1:2.3.7.2-1ubuntu3.2
ubuntu/dovecot<1:2.2.9-1ubuntu2.6+
ubuntu/dovecot<1:2.2.22-1ubuntu2.13
<2.3.11.3
and 20 more
CVE-2020-12673
In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read.
<2.3.11.3
=9.0
=10.0
=14.04
=16.04
=18.04
and 20 more
CVE-2020-12100
In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nes...
ubuntu/dovecot<1:2.2.33.2-1ubuntu4.6
ubuntu/dovecot<1:2.3.7.2-1ubuntu3.2
ubuntu/dovecot<1:2.2.9-1ubuntu2.6+
ubuntu/dovecot<2.3.11
ubuntu/dovecot<1:2.2.22-1ubuntu2.13
<2.3.11.3
and 20 more
CVE-2020-10957
In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp.
debian/dovecot<=1:2.3.2-1<=1:2.3.7.2-1<=1:2.3.4.1-5+deb10u1
Dovecot Dovecot<2.3.10.1
debian/dovecot
CVE-2020-10958
In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving m...
Dovecot Dovecot<2.3.10.1
debian/dovecot
CVE-2020-7957
The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a deni...
Dovecot Dovecot>=2.3.9<2.3.9.3
Fedoraproject Fedora=30
Fedoraproject Fedora=31
CVE-2020-7046
lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login inf...
Dovecot Dovecot>=2.3.9<2.3.9.3
Fedoraproject Fedora=30
Fedoraproject Fedora=31
CVE-2019-19722
In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group add...
Dovecot Dovecot<2.3.9.2
Fedoraproject Fedora=30
Fedoraproject Fedora=31
CVE-2019-11500
In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead t...
redhat/dovecot<2.3.7.2
redhat/dovecot<2.2.36.4
Dovecot Dovecot<2.2.36.4
Dovecot Dovecot>=2.3.0<2.3.7.2
Dovecot Pigeonhole<0.5.7.2
Debian Debian Linux=8.0
and 1 more
CVE-2019-11494
In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command.
Dovecot Dovecot>=2.3.3<=2.3.5.2
Fedoraproject Fedora=29
Fedoraproject Fedora=30
openSUSE Leap=15.0
openSUSE Leap=15.1
CVE-2019-11499
In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message.
Dovecot Dovecot>=2.3.3<=2.3.5.2
Fedoraproject Fedora=29
Fedoraproject Fedora=30
openSUSE Leap=15.0
openSUSE Leap=15.1
CVE-2019-10691
The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username.
Dovecot Dovecot<2.3.5.2
openSUSE Leap=15.0
CVE-2019-7524
In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing ch...
<2.2.36.3
>=2.3.0<2.3.5.1
=8.0
=9.0
=14.04
=16.04
and 22 more
CVE-2019-3814
It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could p...
Dovecot Dovecot>=1.1.0<2.2.36.1
Dovecot Dovecot>=2.3.0<2.3.4.1
Canonical Ubuntu Linux=12.04
Canonical Ubuntu Linux=14.04
Canonical Ubuntu Linux=16.04
Canonical Ubuntu Linux=18.04
and 10 more

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203