Veracode Vulnerability DatabaseVERACODE:21821Improper Certificate Validation
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
dovecot does not properly validate client certificates. An attacker who is in possession of a valid certificate but without a username is able to impersonate other users by abusing the vulnerability.
References
lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html
lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html
access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/
access.redhat.com/errata/RHSA-2019:3467
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814
bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814
lists.fedoraproject.org/archives/list/[email protected]/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/
lists.fedoraproject.org/archives/list/[email protected]/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/
security.gentoo.org/glsa/201904-19
security.gentoo.org/glsa/201904-19
www.dovecot.org/list/dovecot/2019-February/114575.html
www.dovecot.org/list/dovecot/2019-February/114575.html
Related
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N