CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 1CVE-2020-12674 – dovecot: Crash due to assert in RPA implementation
https://notcve.org/view.php?id=CVE-2020-12674
In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled. En Dovecot versiones anteriores a 2.3.11.3, el envío de una petición RPA con un formato especial bloqueará el servicio auth porque una longitud de cero es manejada inapropiadamente A flaw was found in dovecot. An attacker can use the way dovecot handles RPA (Remote Passphrase Authentication) to crash the authentication process repeatedly preventing login. The highest threat from this vulnerability is to system availability. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00048.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00059.html https://dovecot.org/security https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2 https://lists.fedoraproject.org/ar • CWE-125: Out-of-bounds Read •
CVSS: 5.3EPSS: 5%CPEs: 1EXPL: 1CVE-2020-10967 – dovecot: sending mail with empty quoted localpart leads to DoS
https://notcve.org/view.php?id=CVE-2020-10967
In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart. En Dovecot versiones anteriores a 2.3.10.1, los atacantes remotos no autenticados pueden bloquear el proceso lmtp o submission mediante el envío de un correo con un localpart vacío. Open-Xchange Dovecot versions 2.3.0 through 2.3.10 suffer from null pointer dereference and denial of service vulnerabilities. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html http://seclists.org/fulldisclosure/2020/May/37 http://www.openwall.com/lists/oss-security/2020/05/18/1 https://dovecot.org/security https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT https://lists.fedoraproject.org/archives/list/package-announce&# • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.9EPSS: 1%CPEs: 1EXPL: 1CVE-2020-10958 – dovecot: command followed by sufficient number of newlines leads to use-after-free
https://notcve.org/view.php?id=CVE-2020-10958
In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command. En Dovecot versiones anteriores a 2.3.10.1, un mensaje SMTP/LMTP diseñado desencadena un bug no autenticado de uso de la memoria previamente liberada en submission-login, submission, o lmtp, y puede conllevar a un bloqueo bajo circunstancias que impliquen muchas líneas nuevas después de un comando. Open-Xchange Dovecot versions 2.3.0 through 2.3.10 suffer from null pointer dereference and denial of service vulnerabilities. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html http://seclists.org/fulldisclosure/2020/May/37 http://www.openwall.com/lists/oss-security/2020/05/18/1 https://dovecot.org/security https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6 https://lists.fedoraproject.org/archives/list/package-announce&# • CWE-416: Use After Free •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2020-10957 – dovecot: malformed NOOP commands leads to DoS
https://notcve.org/view.php?id=CVE-2020-10957
In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp. En Dovecot versiones anteriores a 2.3.10.1, el envío no autenticado de parámetros malformados hacia un comando NOOP causa una Desreferencia del Puntero NULL y un bloqueo en submission-login o lmtp. A flaw was found in Dovecot, where it did not properly handle certain malformed NOOP commands. This flaw allows a malicious attacker to cause the submission, submission-login, or lmtp services to crash by sending specially crafted commands. Open-Xchange Dovecot versions 2.3.0 through 2.3.10 suffer from null pointer dereference and denial of service vulnerabilities. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html http://seclists.org/fulldisclosure/2020/May/37 http://www.openwall.com/lists/oss-security/2020/05/18/1 https://dovecot.org/security https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6 https://lists.fedoraproject.org/archives/list/package-announce&# • CWE-400: Uncontrolled Resource Consumption CWE-476: NULL Pointer Dereference •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-19722
https://notcve.org/view.php?id=CVE-2019-19722
In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient. En Dovecot versiones anteriores a 2.3.9.2, un atacante puede bloquear un controlador de notificación push con un correo electrónico diseñado cuando notificaciones push son usadas, debido a una desreferencia del puntero NULL. El correo electrónico debe usar una dirección de grupo como remitente o destinatario. • http://www.openwall.com/lists/oss-security/2019/12/13/3 https://dovecot.org/list/dovecot-news/2019-December/000428.html https://dovecot.org/pipermail/dovecot-news/2019-December/000428.html https://dovecot.org/security.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OZCJ3RBA4WIYGN7SOV4TW2AIHXPZATK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PPB7PG5BM3MC5ZF2KHQ3UR7CZIO42BB • CWE-476: NULL Pointer Dereference •