Page 3 of 21 results (0.007 seconds)

CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0

In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient. En Dovecot versiones anteriores a 2.3.9.2, un atacante puede bloquear un controlador de notificación push con un correo electrónico diseñado cuando notificaciones push son usadas, debido a una desreferencia del puntero NULL. El correo electrónico debe usar una dirección de grupo como remitente o destinatario. • http://www.openwall.com/lists/oss-security/2019/12/13/3 https://dovecot.org/list/dovecot-news/2019-December/000428.html https://dovecot.org/pipermail/dovecot-news/2019-December/000428.html https://dovecot.org/security.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OZCJ3RBA4WIYGN7SOV4TW2AIHXPZATK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PPB7PG5BM3MC5ZF2KHQ3UR7CZIO42BB • CWE-476: NULL Pointer Dereference •

CVSS: 9.8EPSS: 52%CPEs: 5EXPL: 1

In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution. En Dovecot versiones anteriores a 2.2.36.4 y versiones 2.3.x anteriores a 2.3.7.2 (y Pigeonhole versiones anteriores a 0.5.7.2), el procesamiento del protocolo puede fallar para cadenas entre comillas. Esto ocurre porque los caracteres '\0' se manejan inapropiadamente y pueden generar escrituras fuera de límites y ejecución de código remota. A flaw was found in dovecot. • http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html http://www.openwall.com/lists/oss-security/2019/08/28/3 https://access.redhat.com/errata/RHSA-2019:2822 https://access.redhat.com/errata/RHSA-2019:2836 https://access.redhat.com/errata/RHSA-2019:2885 https://dovecot.org/pipermail/dovecot-news/2019-August/000417.html https://lists.debian.org/debian-lts-announce/2019/08/msg00035.html • CWE-20: Improper Input Validation CWE-787: Out-of-bounds Write •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username. El codificador JSON en Dovecot versiones anteriores a 2.3.5.2 permite a los atacantes bloquear repetidamente el servicio de autenticación al intentar autenticarse con una secuencia UTF-8 no válida como nombre de usuario. • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00000.html http://www.openwall.com/lists/oss-security/2019/04/18/3 https://dovecot.org/list/dovecot-news/2019-April/000406.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS https://security.gentoo.org/glsa/201908-29 •

CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 0

In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components. En Dovecot, en versiones anteriores a la 2.2.36.3 y en las 2.3.x anteriores a la 2.3.5.1, un atacante local puede provocar un desbordamiento de búfer en el proceso "indexer-worker", que se podría utilizar para elevar a root. Esto ocurre debido a la falta de comprobaciones en los componentes fts y pop3-uidl. • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00060.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html http://www.openwall.com/lists/oss-security/2019/03/28/1 http://www.securityfocus.com/bid/107672 https://dovecot.org/list/dovecot-news/2019-March/000403.html https://dovecot.org/security.html https://lists.debian.org/debian-lts-announce/2019/03/msg00038.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.o • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-284: Improper Access Control •

CVSS: 7.7EPSS: 0%CPEs: 8EXPL: 1

It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users. Se ha descubierto que Dovecot, en versiones anteriores a la 2.2.36.1 y 2.3.4.1, gestiona de manera incorrecta los certificados del cliente. Un atacante remoto en posesión de un certificado válido con un campo "username" vacío podría emplear este problema para suplantar a otros usuarios. It was discovered that Dovecot incorrectly handled client certificates. • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html https://access.redhat.com/errata/RHSA-2019:3467 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS https://security.gentoo.org/glsa/201904-19 https://www.dovecot.org/list/dovecot/2019-Feb • CWE-295: Improper Certificate Validation •