CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 2CVE-2020-10957 – dovecot: malformed NOOP commands leads to DoS
https://notcve.org/view.php?id=CVE-2020-10957
18 May 2020 — In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp. En Dovecot versiones anteriores a 2.3.10.1, el envío no autenticado de parámetros malformados hacia un comando NOOP causa una Desreferencia del Puntero NULL y un bloqueo en submission-login o lmtp. A flaw was found in Dovecot, where it did not properly handle certain malformed NOOP commands. This flaw allows a malicious attacker t... • https://packetstorm.news/files/id/157771 • CWE-400: Uncontrolled Resource Consumption CWE-476: NULL Pointer Dereference •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-19722
https://notcve.org/view.php?id=CVE-2019-19722
13 Dec 2019 — In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient. En Dovecot versiones anteriores a 2.3.9.2, un atacante puede bloquear un controlador de notificación push con un correo electrónico diseñado cuando notificaciones push son usadas, debido a una desreferencia del puntero NULL. El correo electrónico debe usar una direcci... • http://www.openwall.com/lists/oss-security/2019/12/13/3 • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 37%CPEs: 5EXPL: 1CVE-2019-11500 – dovecot: improper NULL byte handling in IMAP and ManageSieve protocol parsers leads to out of bounds writes
https://notcve.org/view.php?id=CVE-2019-11500
28 Aug 2019 — In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution. En Dovecot versiones anteriores a 2.2.36.4 y versiones 2.3.x anteriores a 2.3.7.2 (y Pigeonhole versiones anteriores a 0.5.7.2), el procesamiento del protocolo puede fallar para cadenas entre comillas. Esto ocurre porque los caracteres '\0' se manejan inapropiad... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html • CWE-20: Improper Input Validation CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2019-11499 – Dovecot 2.3 Denial of Service
https://notcve.org/view.php?id=CVE-2019-11499
02 May 2019 — In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message. En el servidor IMAP en Dovecot versión 2.3.3 hasta la versión 2.3.5.2, el componente de envío de inicio de sesión se bloquea si se intenta AUTH PLAIN sobre un canal seguro TLS con un mensaje de indentidadd no aceptado Dovecot version 2.3 suffers from multiple denial of service conditions. Included in this archive is the... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html •
CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 0CVE-2019-11494 – Dovecot 2.3 Denial of Service
https://notcve.org/view.php?id=CVE-2019-11494
01 May 2019 — In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command. En el servidor IMAP en Dovecot 2.3.3 a 2.3.5.2, el servicio de submission-login se bloquea cuando el cliente se desconecta prematuramente durante el comando AUTH. It was discovered that the Dovecot Submission login service incorrectly handled certain operations. A remote attacker could possibly use this issue to cause Dovecot to crash, resulting in a deni... • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-10691 – Ubuntu Security Notice USN-3951-1
https://notcve.org/view.php?id=CVE-2019-10691
23 Apr 2019 — The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username. El codificador JSON en Dovecot versiones anteriores a 2.3.5.2 permite a los atacantes bloquear repetidamente el servicio de autenticación al intentar autenticarse con una secuencia UTF-8 no válida como nombre de usuario. It was discovered that the Dovecot JSON encoder incorrectly handled certain invalid UTF-8 characters. A re... • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00000.html •
CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 0CVE-2019-7524 – dovecot: Buffer overflow in indexer-worker process results in privilege escalation
https://notcve.org/view.php?id=CVE-2019-7524
28 Mar 2019 — In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components. En Dovecot, en versiones anteriores a la 2.2.36.3 y en las 2.3.x anteriores a la 2.3.5.1, un atacante local puede provocar un desbordamiento de búfer en el proceso "indexer-worker", que se podría utilizar para elevar a root. Esto ocurre debido a la falta de comprobacion... • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00060.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-284: Improper Access Control •
CVSS: 7.7EPSS: 0%CPEs: 8EXPL: 1CVE-2019-3814 – dovecot: Improper certificate validation
https://notcve.org/view.php?id=CVE-2019-3814
05 Feb 2019 — It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users. Se ha descubierto que Dovecot, en versiones anteriores a la 2.2.36.1 y 2.3.4.1, gestiona de manera incorrecta los certificados del cliente. Un atacante remoto en posesión de un certificado válido con un campo "username" vacío podría emplear este problema para s... • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 1%CPEs: 9EXPL: 0CVE-2017-15132 – Ubuntu Security Notice USN-3556-1
https://notcve.org/view.php?id=CVE-2017-15132
25 Jan 2018 — A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion. Se ha detectado un fallo en dovecot desde la versión 2.0 hasta la 2.2.33 y 2.3.0. El aborto de una autenticación SASL resulta en una fuga de memoria en el cliente de autenticación de dovecot utili... • https://bugzilla.redhat.com/show_bug.cgi?id=1532768 • CWE-400: Uncontrolled Resource Consumption CWE-772: Missing Release of Resource after Effective Lifetime •