Amazon Linux 2 : dovecot (ALAS-2024-2719)

The version of dovecot installed on the remote host is prior to 2.2.36-6. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2719 advisory. Dovecot reports: A DoS is possible with a large number of address headers or abnormally large email headers. CVE-2024-23185 Tenabl...

Astra Linux - уязвимость в dovecot

Having a large number of address headers From, To, Cc, Bcc, etc. becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors...

USN-7013-1 dovecot vulnerabilities

It was discovered that Dovecot incorrectly handled a large number of address headers. A remote attacker could possibly use this issue to cause Dovecot to consume resources, leading to a denial of service. CVE-2024-23184 It was discovered that Dovecot incorrectly handled very large headers. A remo...

CVE-2024-23185

Very large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to message-header-parser, it starts building up "fullvalue" buffer out of the smaller chunks. The fullvalue buffer has no si...

AZL-69869 CVE-2024-25584 affecting package dovecot 2.3.20-1

Dovecot accepts dot LF DOT LF symbol as end of DATA command. RFC requires that it should always be CR LF DOT CR LF. This causes Dovecot to convert single mail with LF DOT LF in middle, into two emails when relaying to SMTP. Dovecot will split mail with LF DOT LF into two mails. Upgrade to latest...

PT-2024-7272 · Dovecot +10 · Dovecot +10

Name of the Vulnerable Software and Affected Versions: Dovecot affected versions not specified Description: The issue is related to resource exhaustion when parsing messages with very large headers. The message-parser reads reasonably sized chunks of the message, but when it feeds them to the...

SUSE CVE-2007-2231

Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped .gz mailboxes mbox files via a .. dot dot sequence in the mailbox name...

SUSE CVE-2008-4577

The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions...

SUSE CVE-2010-0745

Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows remote attackers to cause a denial of service CPU consumption via long headers in an e-mail message...

SUSE CVE-2013-6171

checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the...

SUSE CVE-2015-3420

The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service login process crash via vectors related to handshake failures...

SUSE CVE-2020-10967

In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart...

Oracle Linux 9 : dovecot (ELSA-2022-8208)

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2022-8208 advisory. 1:2.3.16-7.0.1 - do not run systemd commands during leapp upgrade Orabug: 34680501 1:2.3.16-7 - fix possible privilege escalation when similar master and...

USN-5509-1: Dovecot vulnerability

Julian Brook discovered that Dovecot incorrectly handled multiple passdb configuration entries. In certain configurations, a remote attacker could possibly use this issue to escalate privileges...

The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.

...

AZL-7196 CVE-2021-33515 affecting package dovecot for versions less than 2.3.20-1

The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address...

AZL-7195 CVE-2021-29157 affecting package dovecot for versions less than 2.3.20-1

Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver...

Email Bug Allows Message Snooping, Credential Theft

Researchers warn hackers can snoop on email messages by exploiting a bug in the underlying technology used by the majority of email servers that run the Internet Message Access Protocol, commonly referred to as IMAP. The bug, first reported in August 2020 and patched Monday, is tied to the email...

UBUNTU-CVE-2020-28200

The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension...

Dovecot 资源管理错误漏洞

Dovecot is an open source IMAP and POP3 mail server for Linux/UNIX-like systems. Dovecot suffers from a resource management error vulnerability that stems from improper management of internal resources in the Regular Expression Filtering extension. A remote attacker could pass specially crafted...