CVE-2026-27855

Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If...

PT-2026-24726

Name of the Vulnerable Software and Affected Versions Neo4j Enterprise edition versions prior to 2026.01.4 Description Excessive caching of authentication context in Neo4j Enterprise edition allows authenticated users to inherit the context of the first user who authenticated after a restart. Thi...

PT-2026-28363

Name of the Vulnerable Software and Affected Versions Dovecot versions prior to 2.4.3 Description Dovecot OTP authentication is susceptible to a replay attack under certain conditions. Specifically, if the authentication cache is enabled and a username is modified within the passdb, OTP credentia...

SUSE: Security Advisory (SUSE-SU-2025:21159-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

OPENSUSE-SU-2025-20113-1 Security update for dovecot24

This update for dovecot24 fixes the following issues: - Update dovecot to 2.4.2: - CVE-2025-30189: Fixed users cached with same cache key when auth cache was enabled bsc1252839 - Changes - auth: Remove proxyalways field. - config: Change settings history parsing to use python3. - doveadm: Print...

AZL-69833 CVE-2025-30189 affecting package dovecot 2.3.20-1

When cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to be used for these users. After cached login, all subsequent logins are for same user. Install fixed version or disable caching either globally or for the impacted...

EUVD-2012-3284

Malware in sbrugna...

[SECURITY] [DSA 6019-1] dovecot security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6019-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso October 05, 2025 https://www.debian.org/security/faq -...

Debian dsa-6019 : dovecot-auth-lua - security update

The remote Debian 13 host has packages installed that are affected by a vulnerability as referenced in the dsa-6019 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6019-1 [email protected] https://www.debian.org/security/...

Fedora 39 : golang-github-prometheus-exporter-toolkit / etc (2023-cf176d02d8)

The remote Fedora 39 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2023-cf176d02d8 advisory. Security fix for CVE-2022-46146, update to v0.10.0 Tenable has extracted the preceding description block directly from the Fedora security advisory...

Fedora 38 : golang-github-prometheus-exporter-toolkit / etc (2023-c1318fb7f8)

The remote Fedora 38 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2023-c1318fb7f8 advisory. notes=Security fix for CVE-2022-46146, update to v0.10.0 Tenable has extracted the preceding description block directly from the Fedora security...

openSUSE 15 Security Update : golang-github-prometheus-prometheus (SUSE-SU-2023:1859-1)

The remote openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2023:1859-1 advisory. - Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file...

SUSE SLES12 Security Update : prometheus-ha_cluster_exporter (SUSE-SU-2023:0467-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2023:0467-1 advisory. - Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a...

SUSE SLES15 Security Update : prometheus-ha_cluster_exporter (SUSE-SU-2023:0460-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2023:0460-1 advisory. - Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a...

SUSE SLES15 / openSUSE 15 Security Update : prometheus-ha_cluster_exporter (SUSE-SU-2023:0465-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2023:0465-1 advisory. - Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has acces...

SUSE CVE-2007-6598

Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password...

Authentication Bypass

github.com/prometheus/exporter-toolkit is vulnerable to authentication bypass. It is possible to bypass the security mechanisms by poisoning the built-in authentication cache when an attacker has access to the web.yml file and user's hashed bcrypted passwords...

DEBIAN-CVE-2022-46146

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix...

CVE-2022-46146

CVE-2022-46146 affects Prometheus Exporter Toolkit prior to 0.7.2 and 0.8.2; attackers with access to the Prometheus web.yml and hashed passwords can poison the built-in authentication cache. A fix exists in 0.7.2 and 0.8.2. Attacker needs access to the hashed password to exploit. Upgrade to 0.7....

CVE-2022-46146

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix...