rpm package
opensuse/dovecot23&distro=openSUSE Leap 15.3
pkg:rpm/opensuse/dovecot23&distro=openSUSE%20Leap%2015.3
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-30550 | — | < 2.3.15-150200.62.1 | 2.3.15-150200.62.1 | Jul 17, 2022 | An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied | ||
| CVE-2020-28200 | — | < 2.3.15-58.3 | 2.3.15-58.3 | Jun 28, 2021 | The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension. | ||
| CVE-2021-33515 | — | < 2.3.11.3-55.1 | 2.3.11.3-55.1 | Jun 28, 2021 | The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address. | ||
| CVE-2021-29157 | — | < 2.3.11.3-55.1 | 2.3.11.3-55.1 | Jun 28, 2021 | Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver. |
- CVE-2022-30550Jul 17, 2022affected < 2.3.15-150200.62.1fixed 2.3.15-150200.62.1
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied
- CVE-2020-28200Jun 28, 2021affected < 2.3.15-58.3fixed 2.3.15-58.3
The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.
- CVE-2021-33515Jun 28, 2021affected < 2.3.11.3-55.1fixed 2.3.11.3-55.1
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.
- CVE-2021-29157Jun 28, 2021affected < 2.3.11.3-55.1fixed 2.3.11.3-55.1
Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.