CVSS: 7.8EPSS: 0%CPEs: 51EXPL: 0CVE-2013-6171 – Ubuntu Security Notice USN-3556-2
https://notcve.org/view.php?id=CVE-2013-6171
09 Dec 2013 — checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server. checkpassword-reply en Dovecot anteriores a 2.2.7 ejecuta operaciones setuid a usuarios que se están autenticando, lo cual permite a usuarios locales sortear la autenticación y accede... • http://cpanel.net/tsr-2013-0010-full-disclosure • CWE-287: Improper Authentication •
CVSS: 5.9EPSS: 0%CPEs: 16EXPL: 0CVE-2011-4318 – dovecot: proxy destination host name not checked against SSL certificate name
https://notcve.org/view.php?id=CVE-2011-4318
07 Mar 2013 — Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname. Dovecot v2.0.x antes de v2.0.16, cuando ssl o starttls está disponible y hostname se usa para definir la destinación del proxy, que no verifica que el servidor ho... • http://hg.dovecot.org/dovecot-2.0/rev/5e9eaf63a6b1 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 6%CPEs: 31EXPL: 0CVE-2011-1929 – dovecot: potential crash when parsing header names that contain NUL characters
https://notcve.org/view.php?id=CVE-2011-1929
24 May 2011 — lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle '\0' characters in header names, which allows remote attackers to cause a denial of service (daemon crash or mailbox corruption) via a crafted e-mail message. lib-mail/message-header-parser.c en Dovecot v1.2.x antes de v1.2.17 y v2.0.x antes de v2.0.13 no controla correctamente los caracteres '\ 0 ' en los nombres de cabecera, lo que permite a atacantes remotos provocar una denegación de servicio... • http://dovecot.org/pipermail/dovecot/2011-May/059085.html • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 0CVE-2011-2166 – dovecot: authenticated remote bypass of intended access restrictions
https://notcve.org/view.php?id=CVE-2011-2166
24 May 2011 — script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script. La secuencia de comandos de inicio de sesión en Dovecot v2.0.x antes de v2.0.13 no sigue la configuración del usuario y grupo, lo que podría permitir a usuarios remotos autenticados eludir las restricciones de acceso destinados al aprovechar una secuencia de comandos. • http://dovecot.org/pipermail/dovecot/2011-May/059085.html • CWE-16: Configuration •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 0CVE-2011-2167 – dovecot: directory traversal due to not obeying chroot directive
https://notcve.org/view.php?id=CVE-2011-2167
24 May 2011 — script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script. Las secuencias de comandos de inicio de sesión en Dovecot v2.0.x antes de v2.0.13 no sigue las opciones de configuración de chroot, lo que podría permitir a usuarios remotos autenticados realizar ataques de directorio transversal mediante el aprovechamiento de una secuencia de comandos. • http://dovecot.org/pipermail/dovecot/2011-May/059085.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •