Page 3 of 41 results (0.009 seconds)

CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1

In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp. En Dovecot versiones anteriores a 2.3.10.1, el envío no autenticado de parámetros malformados hacia un comando NOOP causa una Desreferencia del Puntero NULL y un bloqueo en submission-login o lmtp. A flaw was found in Dovecot, where it did not properly handle certain malformed NOOP commands. This flaw allows a malicious attacker to cause the submission, submission-login, or lmtp services to crash by sending specially crafted commands. Open-Xchange Dovecot versions 2.3.0 through 2.3.10 suffer from null pointer dereference and denial of service vulnerabilities. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00059.html http://packetstormsecurity.com/files/157771/Open-Xchange-Dovecot-2.3.10-Null-Pointer-Dereference-Denial-Of-Service.html http://seclists.org/fulldisclosure/2020/May/37 http://www.openwall.com/lists/oss-security/2020/05/18/1 https://dovecot.org/security https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTZN2VW55ZC2AQBGBJMLRJSZIKSB2NS6 https://lists.fedoraproject.org/archives/list/package-announce&# • CWE-400: Uncontrolled Resource Consumption CWE-476: NULL Pointer Dereference •

CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0

In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient. En Dovecot versiones anteriores a 2.3.9.2, un atacante puede bloquear un controlador de notificación push con un correo electrónico diseñado cuando notificaciones push son usadas, debido a una desreferencia del puntero NULL. El correo electrónico debe usar una dirección de grupo como remitente o destinatario. • http://www.openwall.com/lists/oss-security/2019/12/13/3 https://dovecot.org/list/dovecot-news/2019-December/000428.html https://dovecot.org/pipermail/dovecot-news/2019-December/000428.html https://dovecot.org/security.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OZCJ3RBA4WIYGN7SOV4TW2AIHXPZATK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PPB7PG5BM3MC5ZF2KHQ3UR7CZIO42BB • CWE-476: NULL Pointer Dereference •

CVSS: 9.8EPSS: 52%CPEs: 5EXPL: 1

In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution. En Dovecot versiones anteriores a 2.2.36.4 y versiones 2.3.x anteriores a 2.3.7.2 (y Pigeonhole versiones anteriores a 0.5.7.2), el procesamiento del protocolo puede fallar para cadenas entre comillas. Esto ocurre porque los caracteres '\0' se manejan inapropiadamente y pueden generar escrituras fuera de límites y ejecución de código remota. A flaw was found in dovecot. • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html http://www.openwall.com/lists/oss-security/2019/08/28/3 https://access.redhat.com/errata/RHSA-2019:2822 https://access.redhat.com/errata/RHSA-2019:2836 https://access.redhat.com/errata/RHSA-2019:2885 https://dovecot.org/pipermail/dovecot-news/2019-August/000417.html https://lists.debian.org/debian-lts-announce/2019/08/msg00035.html • CWE-20: Improper Input Validation CWE-787: Out-of-bounds Write •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username. El codificador JSON en Dovecot versiones anteriores a 2.3.5.2 permite a los atacantes bloquear repetidamente el servicio de autenticación al intentar autenticarse con una secuencia UTF-8 no válida como nombre de usuario. • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00000.html http://www.openwall.com/lists/oss-security/2019/04/18/3 https://dovecot.org/list/dovecot-news/2019-April/000406.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS https://security.gentoo.org/glsa/201908-29 •

CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 0

In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components. En Dovecot, en versiones anteriores a la 2.2.36.3 y en las 2.3.x anteriores a la 2.3.5.1, un atacante local puede provocar un desbordamiento de búfer en el proceso "indexer-worker", que se podría utilizar para elevar a root. Esto ocurre debido a la falta de comprobaciones en los componentes fts y pop3-uidl. • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00060.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html http://www.openwall.com/lists/oss-security/2019/03/28/1 http://www.securityfocus.com/bid/107672 https://dovecot.org/list/dovecot-news/2019-March/000403.html https://dovecot.org/security.html https://lists.debian.org/debian-lts-announce/2019/03/msg00038.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.o • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-284: Improper Access Control •