CVE-2020-24386
First published: Mon Jan 04 2021(Updated: )
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/dovecot | 1:2.3.4.1-5+deb10u6 1:2.3.4.1-5+deb10u7 1:2.3.13+dfsg1-2+deb11u1 1:2.3.19.1+dfsg1-2.1 1:2.3.20+dfsg1-1 1:2.3.21+dfsg1-1 | |
| Dovecot Dovecot | >=2.2.26<2.3.13 | |
| Debian | =10.0 | |
| Fedoraproject Fedora | =32 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/160842/Dovecot-2.3.11.3-Access-Bypass.html
- http://seclists.org/fulldisclosure/2021/Jan/18
- http://www.openwall.com/lists/oss-security/2021/01/04/4
- https://doc.dovecot.org/configuration_manual/hibernation/
- https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html
- https://dovecot.org/security
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/
- https://security.gentoo.org/glsa/202101-01
- https://www.debian.org/security/2021/dsa-4825
- https://github.com/dovecot/core/commit/00df2308b0733e810824545183d73276c416cdd3
- https://github.com/dovecot/core/commit/b4a9872b833b7985c7d0e7615f1b7fc812dd4c55
- https://security-tracker.debian.org/tracker/CVE-2020-24386
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/
Frequently Asked Questions
What is CVE-2020-24386?
CVE-2020-24386 is a vulnerability in Dovecot, versions before 2.3.13, that allows an authenticated attacker to access other users' email messages and disclose the server's file path.
How can an attacker exploit CVE-2020-24386?
An attacker can exploit CVE-2020-24386 by using IMAP IDLE to trigger unhibernation with attacker-controlled parameters.
What is the severity of CVE-2020-24386?
CVE-2020-24386 has a severity rating of 6.8 (Medium).
Which versions of Dovecot are affected by CVE-2020-24386?
Versions of Dovecot before 2.3.13 are affected by CVE-2020-24386.
How can I fix CVE-2020-24386?
To fix CVE-2020-24386, you need to update Dovecot to version 2.3.13 or later.
- collector/security-tracker-debian
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/references
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/dovecot
- canonical/dovecot dovecot
- version/dovecot dovecot/2.2.26
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32