CVE-2020-12100
Description
Uncontrolled recursion in Dovecot's submission, lmtp, and lda components allows remote attackers to cause denial of service via deeply nested MIME parts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Uncontrolled recursion in Dovecot's submission, lmtp, and lda components allows remote attackers to cause denial of service via deeply nested MIME parts.
Vulnerability
Dovecot versions before 2.3.11.3 contain an uncontrolled recursion vulnerability (CWE-674) in the submission, lmtp, and lda components. When processing a crafted e-mail message with deeply nested MIME parts, the parser enters infinite recursion, leading to resource exhaustion. The issue affects Dovecot 2.0 through 2.3.11.2 [2].
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted e-mail message with deeply nested MIME parts to a Dovecot server. No authentication or prior access is required; the attacker only needs network connectivity to the server's SMTP or LMTP submission port. The message triggers uncontrolled recursion during MIME parsing, consuming CPU and memory resources [2].
Impact
Successful exploitation causes a denial of service (DoS) condition. The Dovecot process handling the message becomes unresponsive or crashes, disrupting mail delivery for legitimate users. The CVSS score is 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity loss [2].
Mitigation
The vulnerability is fixed in Dovecot version 2.3.11.3, released on 2020-08-12. Administrators should upgrade to this version or later. No workarounds are documented; upgrading is the only mitigation. Note that the fix for this CVE introduced a related issue (CVE-2020-25275) which was subsequently addressed in 2.3.13 [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12- Dovecot/Dovecotdescription
- Range: <2.3.11.3
- osv-coords10 versionspkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/dovecot24&distro=openSUSE%20Tumbleweedpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP1pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015
< 2.3.11.3-lp151.2.15.1+ 9 more
- (no CPE)range: < 2.3.11.3-lp151.2.15.1
- (no CPE)range: < 2.3.11.3-lp152.2.6.1
- (no CPE)range: < 2.3.16-1.6
- (no CPE)range: < 2.4.0-1.1
- (no CPE)range: < 2.3.11.3-4.32.1
- (no CPE)range: < 2.3.11.3-4.32.1
- (no CPE)range: < 2.3.11.3-21.1
- (no CPE)range: < 2.3.11.3-17.5.1
- (no CPE)range: < 2.3.11.3-4.32.1
- (no CPE)range: < 2.3.11.3-4.32.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
12- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202009-02mitrevendor-advisoryx_refsource_GENTOO
- usn.ubuntu.com/4456-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4456-2/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4745mitrevendor-advisoryx_refsource_DEBIAN
- seclists.org/fulldisclosure/2021/Jan/18mitremailing-listx_refsource_FULLDISC
- www.openwall.com/lists/oss-security/2020/08/12/1mitremailing-listx_refsource_MLIST
- www.openwall.com/lists/oss-security/2021/01/04/3mitremailing-listx_refsource_MLIST
- dovecot.org/securitymitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2020/08/msg00024.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.