CVSS: 7.5EPSS: 15%CPEs: 1EXPL: 2CVE-2020-10957 – dovecot: malformed NOOP commands leads to DoS
https://notcve.org/view.php?id=CVE-2020-10957
18 May 2020 — In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp. En Dovecot versiones anteriores a 2.3.10.1, el envío no autenticado de parámetros malformados hacia un comando NOOP causa una Desreferencia del Puntero NULL y un bloqueo en submission-login o lmtp. A flaw was found in Dovecot, where it did not properly handle certain malformed NOOP commands. This flaw allows a malicious attacker t... • https://packetstorm.news/files/id/157771 • CWE-400: Uncontrolled Resource Consumption CWE-476: NULL Pointer Dereference •
CVSS: 5.9EPSS: 1%CPEs: 1EXPL: 2CVE-2020-10958 – dovecot: command followed by sufficient number of newlines leads to use-after-free
https://notcve.org/view.php?id=CVE-2020-10958
18 May 2020 — In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command. En Dovecot versiones anteriores a 2.3.10.1, un mensaje SMTP/LMTP diseñado desencadena un bug no autenticado de uso de la memoria previamente liberada en submission-login, submission, o lmtp, y puede conllevar a un bloqueo bajo circunstancias que impliquen muchas líneas nuevas despu... • https://packetstorm.news/files/id/157771 • CWE-416: Use After Free •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 2CVE-2020-7957
https://notcve.org/view.php?id=CVE-2020-7957
12 Feb 2020 — The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a denial of service in which the recipient cannot read all of their messages. Los plugins IMAP y LMTP en Dovecot versiones 2.3.9 anteriores a 2.3.9.3, manejan inapropiadamente la generación de fragmentos cuando se deben leer muchos caracteres para calcular el fragmento y existe un carácter ) al final. Esto provoca un... • http://www.openwall.com/lists/oss-security/2020/02/12/2 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2020-7046
https://notcve.org/view.php?id=CVE-2020-7046
12 Feb 2020 — lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop. lib-smtp en submit-login y lmtp en Dovecot versiones 2.3.9 anteriores a 2.3.9.3, maneja inapropiadamente los datos UTF-8 truncados en los parámetros de comando, como es demostrado por la activación no autenticada de un bucle infinito de login-login. • http://www.openwall.com/lists/oss-security/2020/02/12/1 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.3EPSS: 1%CPEs: 3EXPL: 0CVE-2019-19722
https://notcve.org/view.php?id=CVE-2019-19722
13 Dec 2019 — In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient. En Dovecot versiones anteriores a 2.3.9.2, un atacante puede bloquear un controlador de notificación push con un correo electrónico diseñado cuando notificaciones push son usadas, debido a una desreferencia del puntero NULL. El correo electrónico debe usar una direcci... • http://www.openwall.com/lists/oss-security/2019/12/13/3 • CWE-476: NULL Pointer Dereference •
CVSS: 3.3EPSS: 0%CPEs: 8EXPL: 2CVE-2016-4983
https://notcve.org/view.php?id=CVE-2016-4983
05 Nov 2019 — A postinstall script in the dovecot rpm allows local users to read the contents of newly created SSL/TLS key files. Un script postinstall en el dovecot rpm, permite a usuarios locales leer el contenido de los archivos de clave SSL/TLS recientemente creados. • http://lists.opensuse.org/opensuse-updates/2016-11/msg00096.html • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.8EPSS: 48%CPEs: 5EXPL: 1CVE-2019-11500 – dovecot: improper NULL byte handling in IMAP and ManageSieve protocol parsers leads to out of bounds writes
https://notcve.org/view.php?id=CVE-2019-11500
28 Aug 2019 — In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution. En Dovecot versiones anteriores a 2.2.36.4 y versiones 2.3.x anteriores a 2.3.7.2 (y Pigeonhole versiones anteriores a 0.5.7.2), el procesamiento del protocolo puede fallar para cadenas entre comillas. Esto ocurre porque los caracteres '\0' se manejan inapropiad... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html • CWE-20: Improper Input Validation CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 0CVE-2019-11499 – Dovecot 2.3 Denial of Service
https://notcve.org/view.php?id=CVE-2019-11499
02 May 2019 — In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message. En el servidor IMAP en Dovecot versión 2.3.3 hasta la versión 2.3.5.2, el componente de envío de inicio de sesión se bloquea si se intenta AUTH PLAIN sobre un canal seguro TLS con un mensaje de indentidadd no aceptado Dovecot version 2.3 suffers from multiple denial of service conditions. Included in this archive is the... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html •
CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 0CVE-2019-11494 – Dovecot 2.3 Denial of Service
https://notcve.org/view.php?id=CVE-2019-11494
01 May 2019 — In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command. En el servidor IMAP en Dovecot 2.3.3 a 2.3.5.2, el servicio de submission-login se bloquea cuando el cliente se desconecta prematuramente durante el comando AUTH. It was discovered that the Dovecot Submission login service incorrectly handled certain operations. A remote attacker could possibly use this issue to cause Dovecot to crash, resulting in a deni... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-10691 – Ubuntu Security Notice USN-3951-1
https://notcve.org/view.php?id=CVE-2019-10691
23 Apr 2019 — The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username. El codificador JSON en Dovecot versiones anteriores a 2.3.5.2 permite a los atacantes bloquear repetidamente el servicio de autenticación al intentar autenticarse con una secuencia UTF-8 no válida como nombre de usuario. It was discovered that the Dovecot JSON encoder incorrectly handled certain invalid UTF-8 characters. A re... • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00000.html •