First published: Tue Feb 05 2019(Updated: )
It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Dovecot Dovecot | >=1.1.0<2.2.36.1 | |
Dovecot Dovecot | >=2.3.0<2.3.4.1 | |
Canonical Ubuntu Linux | =12.04 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =18.10 | |
openSUSE Leap | =42.3 | |
redhat/dovecot | <2.2.36.1 | 2.2.36.1 |
redhat/dovecot | <2.3.4.1 | 2.3.4.1 |
ubuntu/dovecot | <1:2.2.33.2-1ubuntu4.2 | 1:2.2.33.2-1ubuntu4.2 |
ubuntu/dovecot | <1:2.3.2.1-1ubuntu3.1 | 1:2.3.2.1-1ubuntu3.1 |
ubuntu/dovecot | <1:2.2.9-1ubuntu2.5 | 1:2.2.9-1ubuntu2.5 |
ubuntu/dovecot | <2.2.36.1<2.3.4.1 | 2.2.36.1 2.3.4.1 |
ubuntu/dovecot | <1:2.2.22-1ubuntu2.9 | 1:2.2.22-1ubuntu2.9 |
debian/dovecot | 1:2.3.4.1-5+deb10u6 1:2.3.4.1-5+deb10u7 1:2.3.13+dfsg1-2+deb11u1 1:2.3.19.1+dfsg1-2.1 1:2.3.21+dfsg1-3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-3814 is a vulnerability in Dovecot that incorrectly handles client certificates, allowing a remote attacker to impersonate other users.
The severity of CVE-2019-3814 is high, with a severity value of 6.8.
CVE-2019-3814 affects Dovecot versions 2.2.36.1 and 2.3.4.1.
An attacker in possession of a valid certificate with an empty username field can exploit CVE-2019-3814 to impersonate other users.
Yes, updating to Dovecot versions 2.2.36.1 or 2.3.4.1 can fix CVE-2019-3814.