VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 29, 2019· Updated Aug 4, 2024

CVE-2019-11500

CVE-2019-11500

Description

Improper handling of null bytes in Dovecot's IMAP and ManageSieve protocol parsers allows out-of-bounds writes and remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper handling of null bytes in Dovecot's IMAP and ManageSieve protocol parsers allows out-of-bounds writes and remote code execution.

Vulnerability

Dovecot versions before 2.2.36.4 and 2.3.x before 2.3.7.2, as well as Pigeonhole before 0.5.7.2, mishandle \0 (null) characters during protocol parsing of quoted strings. This occurs in the IMAP and ManageSieve protocol parsers, where the parsers fail to properly account for null bytes, leading to out-of-bounds writes [4]. The vulnerability affects both pre- and post-authentication code paths [4].

Exploitation

An attacker can send a specially crafted IMAP or ManageSieve command containing a \0 byte within a quoted string. No prior authentication is required for some attack vectors (pre-authentication), while others may require an authenticated session. The attacker does not need any special network position beyond being able to connect to the Dovecot service, as the parsing occurs on the server side [4].

Impact

Successful exploitation allows an attacker to trigger out-of-bounds writes, potentially leading to remote code execution (RCE) with the privileges of the Dovecot process. This can result in full compromise of the email server, including information disclosure, modification, or denial of service [4]. The vulnerability is rated with a CVSS score of Important by Red Hat [3].

Mitigation

The vulnerability is fixed in Dovecot versions 2.2.36.4 and 2.3.7.2, and Pigeonhole version 0.5.7.2 [4]. Red Hat has released updates for Red Hat Enterprise Linux 7 and 8 (e.g., RHSA-2019:2822, RHSA-2019:2885, RHSA-2019:2836) [1][2][3]. Users should update to the patched versions immediately. No workarounds are mentioned in the available references.

References
  1. https://access.redhat.com/errata/RHSA-2019:2822
  2. https://access.redhat.com/errata/RHSA-2019:2885
  3. https://access.redhat.com/errata/RHSA-2019:2836
  4. security - Critical Dovecot and Pigeonhole vulnerability

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

27

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Improper input validation: the IMAP and ManageSieve protocol parsers do not properly handle NUL bytes when scanning quoted strings, leading to out-of-bounds heap writes."

Attack vector

An unauthenticated attacker sends a crafted IMAP or ManageSieve command containing a quoted string with an embedded NUL byte (`\0`). The parser mishandles the NUL character during quoted-string scanning, leading to out-of-bounds heap writes [CWE-20] [ref_id=1]. The attack is network-based (TCP port 143 for IMAP) and requires no authentication; pre-login writes are limited to 8096 bytes, post-login to 65536 bytes [ref_id=1].

Affected code

The vulnerability resides in the IMAP and ManageSieve protocol parsers within Dovecot (versions before 2.2.36.4 and 2.3.x before 2.3.7.2) and Pigeonhole (before 0.5.7.2). The patches target `lib-imap` and `lib-managesieve` components, specifically the quoted-string scanning and `str_unescape` functions [ref_id=1].

What the fix does

The patches add input validation to reject quoted strings containing NUL bytes, and ensure `str_unescape` does not write past the end of the allocated buffer. Specifically, the `lib-imap` and `lib-managesieve` parsers now check for and reject NUL characters during scanning, preventing the out-of-bounds writes that occur when the parser misinterprets the string length after a NUL byte [ref_id=1].

Preconditions

  • networkAttacker must be able to send network traffic to the Dovecot IMAP or ManageSieve service port (e.g., port 143 for IMAP)
  • authNo authentication required; the bug can be triggered pre-login
  • inputAttacker must craft a protocol command containing a quoted string with an embedded NUL byte

Reproduction

The advisory provides a reproduction snippet using perl and netcat: `perl -e 'print "a id (\"foo\" \"".("x"x1021)."\\A\" \"bar\" \"\000".("x"x1020)."\\A\")\n"' | nc localhost 143`. This sends a crafted IMAP command with NUL bytes in quoted strings; the out-of-bounds behavior is best observed using valgrind [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

13

News mentions

0

No linked articles in our index yet.