Unrated severityNVD Advisory· Published Jul 17, 2022· Updated Oct 15, 2024

CVE-2022-30550

Description

An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Dovecot (software)/Dovecotcpe-rescue2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <2.3.20
osv-coords37 versions
pkg:rpm/almalinux/dovecot pkg:rpm/almalinux/dovecot-devel pkg:rpm/almalinux/dovecot-mysql pkg:rpm/almalinux/dovecot-pgsql pkg:rpm/almalinux/dovecot-pigeonhole pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.4 pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCL pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSS pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4 pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5 pkg:rpm/suse/dovecot22&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/dovecot22&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/dovecot23&distro=SUSE%20Enterprise%20Storage%206 pkg:rpm/suse/dovecot23&distro=SUSE%20Enterprise%20Storage%207 pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOS pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOS pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP3 pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP4 pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCL pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCL pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSS pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015 pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/dovecot23&distro=SUSE%20Manager%20Proxy%204.1 pkg:rpm/suse/dovecot23&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1 pkg:rpm/suse/dovecot23&distro=SUSE%20Manager%20Server%204.1
< 1:2.3.16-3.el8+ 36 more
- (no CPE)range: < 1:2.3.16-3.el8
- (no CPE)range: < 1:2.3.16-3.el8
- (no CPE)range: < 1:2.3.16-3.el8
- (no CPE)range: < 1:2.3.16-3.el8
- (no CPE)range: < 1:2.3.16-3.el8
- (no CPE)range: < 2.3.15-150200.62.1
- (no CPE)range: < 2.3.15-150200.62.1
- (no CPE)range: < 2.2.31-19.29.1
- (no CPE)range: < 2.2.31-19.29.1
- (no CPE)range: < 2.2.31-19.29.1
- (no CPE)range: < 2.2.31-19.29.1
- (no CPE)range: < 2.2.31-19.29.1
- (no CPE)range: < 2.2.31-19.29.1
- (no CPE)range: < 2.2.31-19.29.1
- (no CPE)range: < 2.2.31-19.29.1
- (no CPE)range: < 2.2.31-19.29.1
- (no CPE)range: < 2.3.15-150100.31.1
- (no CPE)range: < 2.3.15-150200.62.1
- (no CPE)range: < 2.3.15-150100.31.1
- (no CPE)range: < 2.3.15-150100.31.1
- (no CPE)range: < 2.3.15-150200.62.1
- (no CPE)range: < 2.3.15-150200.62.1
- (no CPE)range: < 2.3.15-150000.4.42.1
- (no CPE)range: < 2.3.15-150000.4.42.1
- (no CPE)range: < 2.3.15-150200.62.1
- (no CPE)range: < 2.3.15-150200.62.1
- (no CPE)range: < 2.3.15-150100.31.1
- (no CPE)range: < 2.3.15-150100.31.1
- (no CPE)range: < 2.3.15-150200.62.1
- (no CPE)range: < 2.3.15-150200.62.1
- (no CPE)range: < 2.3.15-150000.4.42.1
- (no CPE)range: < 2.3.15-150000.4.42.1
- (no CPE)range: < 2.3.15-150100.31.1
- (no CPE)range: < 2.3.15-150200.62.1
- (no CPE)range: < 2.3.15-150200.62.1
- (no CPE)range: < 2.3.15-150200.62.1
- (no CPE)range: < 2.3.15-150200.62.1

Patches

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

security.gentoo.org/glsa/202310-19mitrevendor-advisory
lists.debian.org/debian-lts-announce/2022/09/msg00032.htmlmitremailing-list
dovecot.org/securitymitre
www.dovecot.org/download/mitre
www.openwall.com/lists/oss-security/2022/07/08/1mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000