CVE-2020-24386
Description
Authenticated Dovecot users can access other users' emails via crafted IMAP IDLE commands in versions before 2.3.13.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated Dovecot users can access other users' emails via crafted IMAP IDLE commands in versions before 2.3.13.
Vulnerability
Dovecot versions 2.2.26 through 2.3.11.3 are vulnerable to CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences in the IMAP hibernation component. When IMAP hibernation is enabled (imap_hibernate_timeout > 0), an authenticated attacker can send a specially crafted IMAP IDLE command that triggers unhibernation with attacker-controlled parameters, causing Dovecot to incorrectly associate the session with another user's mailbox [1][2].
Exploitation
An attacker must have valid credentials to authenticate to the Dovecot IMAP server. With no additional network privileges, the attacker sends a crafted IMAP IDLE command that manipulates the unhibernation process. This causes Dovecot to restore a session that belongs to a different user, allowing the attacker to interact with that user's mailbox [1][2].
Impact
Successful exploitation enables the attacker to read other users' email messages and discover filesystem path information, leading to unauthorized disclosure of sensitive data and potential further compromise. The vulnerability has a CVSS score of 8.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N), indicating high impact on confidentiality and integrity [1][2].
Mitigation
The issue is fixed in Dovecot version 2.3.13, released on 2020-08-27 [1][2]. As a workaround, administrators can disable IMAP hibernation by setting imap_hibernate_timeout = 0 or leaving it unset (default is disabled) [2]. Users should upgrade to 2.3.13 or later to fully address the vulnerability.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
35- Dovecot/Dovecotdescription
- Range: <2.3.13
- osv-coords33 versionspkg:rpm/almalinux/dovecotpkg:rpm/almalinux/dovecot-develpkg:rpm/almalinux/dovecot-mysqlpkg:rpm/almalinux/dovecot-pgsqlpkg:rpm/almalinux/dovecot-pigeonholepkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/dovecot24&distro=openSUSE%20Tumbleweedpkg:rpm/suse/dovecot22&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/dovecot22&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/dovecot22&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/dovecot22&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/dovecot22&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/dovecot22&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/dovecot22&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP1pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015
< 1:2.3.8-9.el8+ 32 more
- (no CPE)range: < 1:2.3.8-9.el8
- (no CPE)range: < 1:2.3.8-9.el8
- (no CPE)range: < 1:2.3.8-9.el8
- (no CPE)range: < 1:2.3.8-9.el8
- (no CPE)range: < 1:2.3.8-9.el8
- (no CPE)range: < 2.3.11.3-lp151.2.15.1
- (no CPE)range: < 2.3.11.3-lp152.2.6.1
- (no CPE)range: < 2.3.16-1.6
- (no CPE)range: < 2.4.0-1.1
- (no CPE)range: < 2.2.31-19.25.1
- (no CPE)range: < 2.2.31-19.25.1
- (no CPE)range: < 2.2.31-19.25.1
- (no CPE)range: < 2.2.31-19.25.1
- (no CPE)range: < 2.2.31-19.25.1
- (no CPE)range: < 2.2.31-19.25.1
- (no CPE)range: < 2.2.31-19.25.1
- (no CPE)range: < 2.2.31-19.25.1
- (no CPE)range: < 2.2.31-19.25.1
- (no CPE)range: < 2.2.31-19.25.1
- (no CPE)range: < 2.2.31-19.25.1
- (no CPE)range: < 2.2.31-19.25.1
- (no CPE)range: < 2.2.31-19.25.1
- (no CPE)range: < 2.2.31-19.25.1
- (no CPE)range: < 2.2.31-19.25.1
- (no CPE)range: < 2.2.31-19.25.1
- (no CPE)range: < 2.2.31-19.25.1
- (no CPE)range: < 2.2.31-19.25.1
- (no CPE)range: < 2.3.11.3-4.32.1
- (no CPE)range: < 2.3.11.3-4.32.1
- (no CPE)range: < 2.3.11.3-21.1
- (no CPE)range: < 2.3.11.3-17.5.1
- (no CPE)range: < 2.3.11.3-4.32.1
- (no CPE)range: < 2.3.11.3-4.32.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
9- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202101-01mitrevendor-advisoryx_refsource_GENTOO
- www.debian.org/security/2021/dsa-4825mitrevendor-advisoryx_refsource_DEBIAN
- packetstormsecurity.com/files/160842/Dovecot-2.3.11.3-Access-Bypass.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2021/Jan/18mitremailing-listx_refsource_FULLDISC
- www.openwall.com/lists/oss-security/2021/01/04/4mitrex_refsource_CONFIRM
- doc.dovecot.org/configuration_manual/hibernation/mitrex_refsource_MISC
- dovecot.org/pipermail/dovecot-news/2021-January/000450.htmlmitrex_refsource_CONFIRM
- dovecot.org/securitymitrex_refsource_MISC
News mentions
0No linked articles in our index yet.