CVE-2021-29157
Description
Dovecot before 2.3.15 contains a path traversal vulnerability in OAuth2 JWT local validation, allowing an attacker with local filesystem access to use an attacker-controlled validation key.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dovecot before 2.3.15 contains a path traversal vulnerability in OAuth2 JWT local validation, allowing an attacker with local filesystem access to use an attacker-controlled validation key.
Vulnerability
Dovecot before version 2.3.15 is vulnerable to a path traversal in the OAuth2 JWT local validation component when using the posix filesystem driver. An attacker with access to the local filesystem can craft a path traversal to cause Dovecot to use a validation key (HS256) from an attacker-controlled location instead of the intended one. [1]
Exploitation
To exploit this vulnerability, the attacker must have local filesystem access (e.g., via another compromise or legitimate access) and no authentication is required. The attacker places a malicious JWT validation key in a directory accessible via traversal and then triggers authentication flows that use the OAuth2 mechanism, causing Dovecot to load the attacker-specified key. [1]
Impact
Successful exploitation allows the attacker to forge valid JWT tokens, leading to authentication bypass. This compromises both confidentiality and integrity (CVSS 6.7, C:H/I:H/A:N), potentially granting unauthorized access to user mailboxes and enabling impersonation. [1]
Mitigation
The vulnerability is fixed in Dovecot version 2.3.15, released on June 28, 2021. Users should upgrade to this version or later. If immediate upgrade is not possible, restrict local filesystem access to prevent attackers from placing malicious key files. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
21- Dovecot/Dovecotdescription
- Range: <2.3.15
- osv-coords19 versionspkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/dovecot24&distro=openSUSE%20Tumbleweedpkg:rpm/suse/dovecot23&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP3pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/dovecot23&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/dovecot23&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/dovecot23&distro=SUSE%20Manager%20Server%204.0
< 2.3.11.3-lp152.2.9.1+ 18 more
- (no CPE)range: < 2.3.11.3-lp152.2.9.1
- (no CPE)range: < 2.3.11.3-55.1
- (no CPE)range: < 2.3.16-1.6
- (no CPE)range: < 2.4.0-1.1
- (no CPE)range: < 2.3.11.3-24.1
- (no CPE)range: < 2.3.11.3-24.1
- (no CPE)range: < 2.3.11.3-24.1
- (no CPE)range: < 2.3.11.3-4.35.1
- (no CPE)range: < 2.3.11.3-4.35.1
- (no CPE)range: < 2.3.11.3-55.1
- (no CPE)range: < 2.3.11.3-55.1
- (no CPE)range: < 2.3.11.3-24.1
- (no CPE)range: < 2.3.11.3-24.1
- (no CPE)range: < 2.3.11.3-4.35.1
- (no CPE)range: < 2.3.11.3-4.35.1
- (no CPE)range: < 2.3.11.3-24.1
- (no CPE)range: < 2.3.11.3-24.1
- (no CPE)range: < 2.3.11.3-24.1
- (no CPE)range: < 2.3.11.3-24.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing path traversal validation in Dovecot's OAuth2 local JWT validation allows an attacker to specify an arbitrary key file path via the "azp" parameter."
Attack vector
An attacker with local filesystem access can trick Dovecot's OAuth2 authentication into using an attacker-controlled HS256 validation key. The attacker places a base64-encoded HS256 shared key in a location readable by Dovecot, then supplies a path traversal string such as "../../../../../location/to/path" as the key "azp" parameter. Because Dovecot does not properly validate the key path, it reads the attacker's key and uses it to validate JWT tokens, allowing the attacker to forge tokens and authenticate as any valid user [ref_id=1].
Affected code
The vulnerability resides in Dovecot's OAuth2 component, specifically in the local JWT validation path when using the posix fs driver. The advisory identifies the vulnerable component as "oauth2" and the vulnerable version as 2.3.11, with the fix included in 2.3.15 [ref_id=1].
What the fix does
The advisory states the solution is to upgrade to the fixed version 2.3.15 [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably adds validation to ensure the key path cannot contain directory traversal sequences, restricting key file lookups to the intended configuration directory rather than allowing arbitrary paths.
Preconditions
- inputAttacker must have local filesystem access to place a malicious key file in a location readable by Dovecot
- configDovecot must be configured to perform OAuth2 authentication with local JWT validation using the posix fs driver
Reproduction
1. Configure Dovecot to perform OAUTH2 authentication with local JWT validation using the posix fs driver. 2. Place a base64-encoded HS256 shared key in a location readable by Dovecot. 3. Use "../../../../../location/to/path" as the key "azp" parameter. 4. Forge tokens and authenticate as any valid user [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202107-41mitrevendor-advisoryx_refsource_GENTOO
- dovecot.org/securitymitrex_refsource_MISC
- www.openwall.com/lists/oss-security/2021/06/28/1mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.