CVE-2020-10957: Null Pointer Dereference
First published: Mon May 18 2020(Updated: )
In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/dovecot | <=1:2.3.2-1<=1:2.3.7.2-1<=1:2.3.4.1-5+deb10u1 | 1:2.3.4.1-5+deb10u2 1:2.3.10.1+dfsg1-1 |
| Dovecot Dovecot | <2.3.10.1 | |
| debian/dovecot | 1:2.3.4.1-5+deb10u6 1:2.3.4.1-5+deb10u7 1:2.3.13+dfsg1-2+deb11u1 1:2.3.19.1+dfsg1-2.1 1:2.3.21+dfsg1-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2020-10957
- https://security-tracker.debian.org/tracker/CVE-2020-10958
- https://security-tracker.debian.org/tracker/CVE-2020-10967
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10957
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10958
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10967
- https://www.debian.org/security/2020/dsa-4690
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960963
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html
- http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html
- http://seclists.org/fulldisclosure/2020/May/37
- http://www.openwall.com/lists/oss-security/2020/05/18/1
- https://dovecot.org/security
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VVUWHUUAFPC6XGIXYFIPTNBXLHPNM4W6/
- https://usn.ubuntu.com/4361-1/
- https://www.openwall.com/lists/oss-security/2020/05/18/1
Frequently Asked Questions
What is CVE-2020-10957?
CVE-2020-10957 is a vulnerability in Dovecot before 2.3.10.1 that allows unauthenticated sending of malformed parameters to a NOOP command, causing a NULL Pointer Dereference and crash.
How does CVE-2020-10957 impact Dovecot?
CVE-2020-10957 can be exploited by an attacker to cause a denial of service (crash) in the submission-login, submission, or lmtp components of Dovecot.
What is the severity of CVE-2020-10957?
CVE-2020-10957 has a severity rating of 7.5 (high).
How can I fix CVE-2020-10957?
To fix CVE-2020-10957, upgrade to Dovecot version 2.3.10.1 or later.
Where can I find more information about CVE-2020-10957?
You can find more information about CVE-2020-10957 at the following references: [Link 1](http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html), [Link 2](http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html), [Link 3](http://seclists.org/fulldisclosure/2020/May/37).
- collector/debian-bugs
- alias/CVE-2020-10957
- collector/nvd-index
- collector/security-tracker-debian
- package-manager/debian
- vendor/dovecot
- canonical/dovecot dovecot