rpm package
suse/dovecot22&distro=SUSE Linux Enterprise Server for SAP Applications 12 SP4
pkg:rpm/suse/dovecot22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-30550 | — | < 2.2.31-19.29.1 | 2.2.31-19.29.1 | Jul 17, 2022 | An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied | ||
| CVE-2020-24386 | — | < 2.2.31-19.25.1 | 2.2.31-19.25.1 | Jan 4, 2021 | An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure). | ||
| CVE-2020-12674 | — | < 2.2.31-19.22.1 | 2.2.31-19.22.1 | Aug 12, 2020 | In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled. | ||
| CVE-2020-12673 | — | < 2.2.31-19.22.1 | 2.2.31-19.22.1 | Aug 12, 2020 | In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read. | ||
| CVE-2019-11500 | — | < 2.2.31-19.17.1 | 2.2.31-19.17.1 | Aug 29, 2019 | In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution. | ||
| CVE-2019-7524 | — | < 2.2.31-19.14.2 | 2.2.31-19.14.2 | Mar 28, 2019 | In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components. | ||
| CVE-2019-3814 | — | < 2.2.31-19.14.2 | 2.2.31-19.14.2 | Mar 27, 2019 | It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users. |
- CVE-2022-30550Jul 17, 2022affected < 2.2.31-19.29.1fixed 2.2.31-19.29.1
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied
- CVE-2020-24386Jan 4, 2021affected < 2.2.31-19.25.1fixed 2.2.31-19.25.1
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).
- CVE-2020-12674Aug 12, 2020affected < 2.2.31-19.22.1fixed 2.2.31-19.22.1
In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.
- CVE-2020-12673Aug 12, 2020affected < 2.2.31-19.22.1fixed 2.2.31-19.22.1
In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read.
- CVE-2019-11500Aug 29, 2019affected < 2.2.31-19.17.1fixed 2.2.31-19.17.1
In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.
- CVE-2019-7524Mar 28, 2019affected < 2.2.31-19.14.2fixed 2.2.31-19.14.2
In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components.
- CVE-2019-3814Mar 27, 2019affected < 2.2.31-19.14.2fixed 2.2.31-19.14.2
It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.