rpm package
suse/dovecot23&distro=SUSE Linux Enterprise Server 15 SP1-LTSS
pkg:rpm/suse/dovecot23&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-30550 | — | < 2.3.15-150100.31.1 | 2.3.15-150100.31.1 | Jul 17, 2022 | An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied | ||
| CVE-2020-28200 | — | < 2.3.15-27.3 | 2.3.15-27.3 | Jun 28, 2021 | The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension. | ||
| CVE-2021-33515 | — | < 2.3.11.3-24.1 | 2.3.11.3-24.1 | Jun 28, 2021 | The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address. | ||
| CVE-2021-29157 | — | < 2.3.11.3-24.1 | 2.3.11.3-24.1 | Jun 28, 2021 | Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver. |
- CVE-2022-30550Jul 17, 2022affected < 2.3.15-150100.31.1fixed 2.3.15-150100.31.1
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied
- CVE-2020-28200Jun 28, 2021affected < 2.3.15-27.3fixed 2.3.15-27.3
The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.
- CVE-2021-33515Jun 28, 2021affected < 2.3.11.3-24.1fixed 2.3.11.3-24.1
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.
- CVE-2021-29157Jun 28, 2021affected < 2.3.11.3-24.1fixed 2.3.11.3-24.1
Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.