1063 matches found
Command injection
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address...
CVE-2021-33515
CVE-2021-33515 affects Dovecot prior to 2.3.15, where the submission service (lib-smtp) allows STARTTLS command injection. This can cause sensitive information to be redirected to an attacker-controlled address. Affected context appears across multiple vendors/distros; several advisories note tha...
CVE-2021-33515
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address...
CVE-2021-33515
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address...
CVE-2021-33515
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address...
Dovecot 2.3.0 - 2.3.14 Information Disclosure Vulnerability
Dovecot is prone to an information disclosure vulnerability. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software;...
SUSE SLES15 Security Update : dovecot23 (SUSE-SU-2021:2122-1)
The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2122-1 advisory. - Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication...
SUSE SLES15 Security Update : dovecot23 (SUSE-SU-2021:2124-1)
The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2124-1 advisory. - Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication...
openSUSE 15 Security Update : dovecot23 (openSUSE-SU-2021:0920-1)
The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:0920-1 advisory. - Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into usi...
FreeBSD : dovecot -- multiple vulnerabilities (d18f431d-d360-11eb-a32c-00a0989e4ec1)
Dovecot team reports : CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens in some configurations. This requires attacker to be able to write files to local disk. CVE-2021-33515: On-path attacke...
Command Injection
dovecot is vulnerable to command injection. On-path attacker could inject plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected...
CVE-2021-33515
It was found that dovecot could still accept plaintext commands while the STARTTLS negotiation process is ongoing. This could allow an active person in the middle, with valid credentials on dovecot, to, for example, steal confidential data such as the client's emails and passwords...
USN-4993-1: Dovecot vulnerabilities
Kirin discovered that Dovecot incorrectly escaped kid and azp fields in JWT tokens. A local attacker could possibly use this issue to validate tokens using arbitrary keys. This issue only affected Ubuntu 20.10 and Ubuntu 21.04. CVE-2021-29157 Fabian Ising and Damian Poddebniak discovered that...
USN-4993-1 dovecot vulnerabilities
Kirin discovered that Dovecot incorrectly escaped kid and azp fields in JWT tokens. A local attacker could possibly use this issue to validate tokens using arbitrary keys. This issue only affected Ubuntu 20.10 and Ubuntu 21.04. CVE-2021-29157 Fabian Ising and Damian Poddebniak discovered that...
CVE-2021-33515
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address...
Dovecot 命令注入漏洞
Dovecot is an open source IMAP and POP3 mail server for Linux/UNIX-like systems. A command injection vulnerability exists in the commit service of Dovecot versions prior to 2.3.15, which allows an attacker to inject STARTTLS commands into lib-smtp, where sensitive information can be redirected to...
SUSE SLES11 Security Update : mutt (SUSE-SU-2020:14414-1)
The remote SUSE Linux SLES11 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2020:14414-1 advisory. - Mutt before 1.14.3 allows an IMAP fcc/postpone man-in-the-middle attack via a PREAUTH response. CVE-2020-14093 - Mutt before 1.14.3 proceeds...
SUSE: Security Advisory (SUSE-SU-2012:1147-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Open-Xchange: Command Injection via STARTTLS in SMTP
During our research into the security of email servers at Münster University of Applied Sciences, we found a command injection vulnerability related to STARTTLS in Dovecot. See the attached advisory for details. The vulnerability allows a MITM attacker between a mail client and Dovecot to inject...
Huawei EulerOS: Security Advisory for evolution-data-server (EulerOS-SA-2021-1780)
The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...