ArchLinuxASA-202106-56[ASA-202106-56] dovecot: information disclosure
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.004 Low
EPSS
Percentile
72.0%
Arch Linux Security Advisory ASA-202106-56
Severity: High
Date : 2021-06-22
CVE-ID : CVE-2021-29157 CVE-2021-33515
Package : dovecot
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-2087
Summary
The package dovecot before version 2.3.15-1 is vulnerable to
information disclosure.
Resolution
Upgrade to 2.3.15-1.
pacman -Syu “dovecot>=2.3.15-1”
The problems have been fixed upstream in version 2.3.15.
Workaround
CVE-2021-29157 can be mitigated by disabling local JWT validation in
oauth2, or using a different dict driver than fs:posix. No known
workaround exists for CVE-2021-33515.
Description
- CVE-2021-29157 (information disclosure)
A security issue has been found in Dovecot before version 2.3.14.1. The
kid and azp fields in JWT tokens are not correctly escaped. This may be
used to supply attacker controlled keys to validate tokens in some
configurations. The attack requires an attacker to be able to write
files to the local disk. As a result, a local attacker can login as any
user and access their emails.
- CVE-2021-33515 (information disclosure)
A security issue has been found in Dovecot before version 2.3.14.1. An
on-path attacker could inject plaintext commands before the STARTTLS
negotiation that would be executed after STARTTLS finished with the
client. Only the SMTP submission service is affected. As a result, an
attacker can potentially steal user credentials and emails. The
attacker needs to have sending permissions on the submission server (a
valid username and password).
Impact
A remote authenticated attacker or a local attacker with write access
to the disk could disclose user credentials and emails.
References
https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html
https://github.com/dovecot/core/commit/7f06f6274437ea97142df1f64f322b3ced44d0b3
https://github.com/dovecot/core/commit/7a77e070ddb6a67fe7a40118ba3e3f9b6062a7d1
https://github.com/dovecot/core/commit/bae4e44596d6548322665d242b055f44fe1dc58d
https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html
https://github.com/dovecot/core/commit/65bd1a27a361545c9ccf405b955c72a9c4d29b38
https://security.archlinux.org/CVE-2021-29157
https://security.archlinux.org/CVE-2021-33515
References
dovecot.org/pipermail/dovecot-news/2021-June/000461.html
dovecot.org/pipermail/dovecot-news/2021-June/000462.html
github.com/dovecot/core/commit/65bd1a27a361545c9ccf405b955c72a9c4d29b38
github.com/dovecot/core/commit/7a77e070ddb6a67fe7a40118ba3e3f9b6062a7d1
github.com/dovecot/core/commit/7f06f6274437ea97142df1f64f322b3ced44d0b3
github.com/dovecot/core/commit/bae4e44596d6548322665d242b055f44fe1dc58d
security.archlinux.org/AVG-2087
security.archlinux.org/CVE-2021-29157
security.archlinux.org/CVE-2021-33515
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.004 Low
EPSS
Percentile
72.0%