CVE-2021-29157

2021-06-21T00:00:00
ID UB:CVE-2021-29157
Type ubuntucve
Reporter ubuntu.com
Modified 2021-06-21T00:00:00

Description

Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.

Notes

Author| Note
---|---
mdeslaur | per upstream, this affects 2.3.11-2.3.14