CVE-2019-11499
Description
Dovecot IMAP server crashes in submission-login when AUTH PLAIN is used over TLS with an invalid message, affecting versions 2.3.3 to 2.3.5.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dovecot IMAP server crashes in submission-login when AUTH PLAIN is used over TLS with an invalid message, affecting versions 2.3.3 to 2.3.5.2.
Vulnerability
In Dovecot versions 2.3.3 through 2.3.5.2, the submission-login component contains a bug that causes a crash when the AUTH PLAIN command is sent over a TLS-secured channel with an unacceptable authentication message [1][2]. The crash occurs in the submission-login process handling the authentication.
Exploitation
An unauthenticated attacker with network access to the IMAP server over a TLS connection can trigger the crash by sending a crafted AUTH PLAIN command with an invalid authentication payload [1][2]. No prior authentication or special privileges are required.
Impact
Successful exploitation causes the submission-login process to crash, resulting in denial of service for the IMAP service [1][2]. The crash does not lead to information disclosure or privilege escalation.
Mitigation
The vulnerability is fixed in Dovecot versions after 2.3.5.2 [1][2]. Users should upgrade to the latest version. Alternatively, administrators can apply the patches provided by the Dovecot project or their distribution (e.g., Fedora) [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- Dovecot/IMAP Serverdescription
- Range: 2.3.3 - 2.3.5.2
- osv-coords5 versionspkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/dovecot24&distro=openSUSE%20Tumbleweedpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP1
< 2.3.3-lp150.14.1+ 4 more
- (no CPE)range: < 2.3.3-lp150.14.1
- (no CPE)range: < 2.3.3-lp151.2.6.1
- (no CPE)range: < 2.3.16-1.6
- (no CPE)range: < 2.4.0-1.1
- (no CPE)range: < 2.3.3-8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6- lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/mitrevendor-advisoryx_refsource_FEDORA
- www.dovecot.org/download.htmlmitrex_refsource_MISC
- www.dovecot.org/security.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.