7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.6 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.037 Low
EPSS
Percentile
91.7%
Issue Overview:
In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled. A flaw was found in dovecot. An attacker can use the way dovecot handles RPA (Remote Passphrase Authentication) to crash the authentication process repeatedly preventing login. The highest threat from this vulnerability is to system availability. (CVE-2020-12674)
In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts. A flaw was found in dovecot. A remote attacker could cause a denial of service by repeatedly sending emails containing MIME parts containing malicious content of which dovecot will attempt to parse. The highest threat from this vulnerability is to system availability. (CVE-2020-12100)
In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read. A flaw was found in dovecot. An out-of-bounds read flaw was found in the way dovecot handled NTLM authentication allowing an attacker to crash the dovecot auth process repeatedly preventing login. The highest threat from this vulnerability is to system availability. (CVE-2020-12673)
Affected Packages:
dovecot
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update dovecot to update your system.
New Packages:
aarch64:
dovecot-2.2.36-6.amzn2.1.aarch64
dovecot-pigeonhole-2.2.36-6.amzn2.1.aarch64
dovecot-pgsql-2.2.36-6.amzn2.1.aarch64
dovecot-mysql-2.2.36-6.amzn2.1.aarch64
dovecot-devel-2.2.36-6.amzn2.1.aarch64
dovecot-debuginfo-2.2.36-6.amzn2.1.aarch64
i686:
dovecot-2.2.36-6.amzn2.1.i686
dovecot-pigeonhole-2.2.36-6.amzn2.1.i686
dovecot-pgsql-2.2.36-6.amzn2.1.i686
dovecot-mysql-2.2.36-6.amzn2.1.i686
dovecot-devel-2.2.36-6.amzn2.1.i686
dovecot-debuginfo-2.2.36-6.amzn2.1.i686
src:
dovecot-2.2.36-6.amzn2.1.src
x86_64:
dovecot-2.2.36-6.amzn2.1.x86_64
dovecot-pigeonhole-2.2.36-6.amzn2.1.x86_64
dovecot-pgsql-2.2.36-6.amzn2.1.x86_64
dovecot-mysql-2.2.36-6.amzn2.1.x86_64
dovecot-devel-2.2.36-6.amzn2.1.x86_64
dovecot-debuginfo-2.2.36-6.amzn2.1.x86_64
Red Hat: CVE-2020-12100, CVE-2020-12673, CVE-2020-12674
Mitre: CVE-2020-12100, CVE-2020-12673, CVE-2020-12674
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 2 | aarch64 | dovecot | < 2.2.36-6.amzn2.1 | dovecot-2.2.36-6.amzn2.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | dovecot-pigeonhole | < 2.2.36-6.amzn2.1 | dovecot-pigeonhole-2.2.36-6.amzn2.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | dovecot-pgsql | < 2.2.36-6.amzn2.1 | dovecot-pgsql-2.2.36-6.amzn2.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | dovecot-mysql | < 2.2.36-6.amzn2.1 | dovecot-mysql-2.2.36-6.amzn2.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | dovecot-devel | < 2.2.36-6.amzn2.1 | dovecot-devel-2.2.36-6.amzn2.1.aarch64.rpm |
Amazon Linux | 2 | aarch64 | dovecot-debuginfo | < 2.2.36-6.amzn2.1 | dovecot-debuginfo-2.2.36-6.amzn2.1.aarch64.rpm |
Amazon Linux | 2 | i686 | dovecot | < 2.2.36-6.amzn2.1 | dovecot-2.2.36-6.amzn2.1.i686.rpm |
Amazon Linux | 2 | i686 | dovecot-pigeonhole | < 2.2.36-6.amzn2.1 | dovecot-pigeonhole-2.2.36-6.amzn2.1.i686.rpm |
Amazon Linux | 2 | i686 | dovecot-pgsql | < 2.2.36-6.amzn2.1 | dovecot-pgsql-2.2.36-6.amzn2.1.i686.rpm |
Amazon Linux | 2 | i686 | dovecot-mysql | < 2.2.36-6.amzn2.1 | dovecot-mysql-2.2.36-6.amzn2.1.i686.rpm |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.6 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.037 Low
EPSS
Percentile
91.7%