CVE-2020-28200
Description
The Sieve engine in Dovecot before 2.3.15 allows uncontrolled resource consumption via complex regular expressions, leading to denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Sieve engine in Dovecot before 2.3.15 allows uncontrolled resource consumption via complex regular expressions, leading to denial of service.
Vulnerability
The Sieve script engine in Dovecot versions before 2.3.15 (including Pigeonhole plugin) lacks proper resource limits for script execution. An attacker can supply a Sieve script containing a complex regular expression under the regex extension, which causes excessive CPU consumption and denial of service [1]. Affected: Dovecot < 2.3.15.
Exploitation
An authenticated user with permission to upload or modify Sieve scripts can create a script with a computationally expensive regex. No network privileges beyond normal IMAP access are required; the script executes when filtering mail [1].
Impact
Successful exploitation exhausts server CPU resources, degrading performance or causing denial of service for other users. No data compromise; only availability affected [1].
Mitigation
Fix available in Dovecot 2.3.15, which introduces per-script and cumulative CPU time limits for Sieve execution [1]. Upgrade to 2.3.15 or later. No workaround known.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
21- Dovecot/Dovecotdescription
- Range: <2.3.15
- osv-coords19 versionspkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/dovecot24&distro=openSUSE%20Tumbleweedpkg:rpm/suse/dovecot23&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP3pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/dovecot23&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/dovecot23&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/dovecot23&distro=SUSE%20Manager%20Server%204.0
< 2.3.15-lp152.2.12.1+ 18 more
- (no CPE)range: < 2.3.15-lp152.2.12.1
- (no CPE)range: < 2.3.15-58.3
- (no CPE)range: < 2.3.16-1.6
- (no CPE)range: < 2.4.0-1.1
- (no CPE)range: < 2.3.15-27.3
- (no CPE)range: < 2.3.15-27.3
- (no CPE)range: < 2.3.15-27.3
- (no CPE)range: < 2.3.15-4.38.3
- (no CPE)range: < 2.3.15-4.38.3
- (no CPE)range: < 2.3.15-58.3
- (no CPE)range: < 2.3.15-58.3
- (no CPE)range: < 2.3.15-27.3
- (no CPE)range: < 2.3.15-27.3
- (no CPE)range: < 2.3.15-4.38.3
- (no CPE)range: < 2.3.15-4.38.3
- (no CPE)range: < 2.3.15-27.3
- (no CPE)range: < 2.3.15-27.3
- (no CPE)range: < 2.3.15-27.3
- (no CPE)range: < 2.3.15-27.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing resource consumption limits in the Sieve interpreter allow abusive scripts with complex regular expressions to exhaust CPU resources."
Attack vector
An authenticated attacker submits a Sieve script containing a sufficiently CPU-intensive regular expression via the Sieve "regex" extension [ref_id=1]. The Sieve interpreter lacks protections against abusive scripts, so the complex regex consumes excessive CPU resources during execution [CWE-400]. This can cause partial or complete denial of service for the Dovecot server. The attacker needs only the ability to upload or modify Sieve scripts (authenticated access).
Affected code
The Sieve engine (the "sieve" component) in Dovecot before version 2.3.15 is vulnerable. The advisory identifies the vulnerable component as "sieve" and notes the vulnerability affects "ancient" versions [ref_id=1]. No specific function or file paths are named in the advisory.
What the fix does
The fix limits both CPU system+user time per single script execution and cumulatively over several script runs within a configurable timeout period [ref_id=1]. When CPU time usage is sufficiently large, it is summed in the Sieve script binary and execution is blocked when the sum exceeds the limit within that time. The block is lifted when the script is updated after the resource usage times out [ref_id=1]. No patch diff is provided in the advisory.
Preconditions
- authAttacker must be able to upload or modify Sieve scripts (authenticated access to Dovecot)
- configThe Sieve 'regex' extension must be enabled
- inputAttacker must craft a Sieve script with a sufficiently CPU-intensive regular expression
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/mitrevendor-advisoryx_refsource_FEDORA
- dovecot.org/securitymitrex_refsource_MISC
- www.openwall.com/lists/oss-security/2021/06/28/3mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.