rpm package
opensuse/dovecot23&distro=openSUSE Leap 15.2
pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.2
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-28200 | — | < 2.3.15-lp152.2.12.1 | 2.3.15-lp152.2.12.1 | Jun 28, 2021 | The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension. | ||
| CVE-2021-33515 | — | < 2.3.11.3-lp152.2.9.1 | 2.3.11.3-lp152.2.9.1 | Jun 28, 2021 | The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address. | ||
| CVE-2021-29157 | — | < 2.3.11.3-lp152.2.9.1 | 2.3.11.3-lp152.2.9.1 | Jun 28, 2021 | Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver. | ||
| CVE-2020-24386 | — | < 2.3.11.3-lp152.2.6.1 | 2.3.11.3-lp152.2.6.1 | Jan 4, 2021 | An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure). | ||
| CVE-2020-25275 | — | < 2.3.11.3-lp152.2.6.1 | 2.3.11.3-lp152.2.6.1 | Jan 4, 2021 | Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts. | ||
| CVE-2020-12674 | — | < 2.3.10-lp152.2.3.1 | 2.3.10-lp152.2.3.1 | Aug 12, 2020 | In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled. | ||
| CVE-2020-12673 | — | < 2.3.10-lp152.2.3.1 | 2.3.10-lp152.2.3.1 | Aug 12, 2020 | In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read. | ||
| CVE-2020-12100 | — | < 2.3.11.3-lp152.2.6.1 | 2.3.11.3-lp152.2.6.1 | Aug 12, 2020 | In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts. |
- CVE-2020-28200Jun 28, 2021affected < 2.3.15-lp152.2.12.1fixed 2.3.15-lp152.2.12.1
The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.
- CVE-2021-33515Jun 28, 2021affected < 2.3.11.3-lp152.2.9.1fixed 2.3.11.3-lp152.2.9.1
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.
- CVE-2021-29157Jun 28, 2021affected < 2.3.11.3-lp152.2.9.1fixed 2.3.11.3-lp152.2.9.1
Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.
- CVE-2020-24386Jan 4, 2021affected < 2.3.11.3-lp152.2.6.1fixed 2.3.11.3-lp152.2.6.1
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).
- CVE-2020-25275Jan 4, 2021affected < 2.3.11.3-lp152.2.6.1fixed 2.3.11.3-lp152.2.6.1
Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.
- CVE-2020-12674Aug 12, 2020affected < 2.3.10-lp152.2.3.1fixed 2.3.10-lp152.2.3.1
In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.
- CVE-2020-12673Aug 12, 2020affected < 2.3.10-lp152.2.3.1fixed 2.3.10-lp152.2.3.1
In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read.
- CVE-2020-12100Aug 12, 2020affected < 2.3.11.3-lp152.2.6.1fixed 2.3.11.3-lp152.2.6.1
In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.