CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-10691
https://notcve.org/view.php?id=CVE-2019-10691
The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username. El codificador JSON en Dovecot versiones anteriores a 2.3.5.2 permite a los atacantes bloquear repetidamente el servicio de autenticación al intentar autenticarse con una secuencia UTF-8 no válida como nombre de usuario. • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00000.html http://www.openwall.com/lists/oss-security/2019/04/18/3 https://dovecot.org/list/dovecot-news/2019-April/000406.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS https://security.gentoo.org/glsa/201908-29 •
CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 0CVE-2019-7524 – dovecot: Buffer overflow in indexer-worker process results in privilege escalation
https://notcve.org/view.php?id=CVE-2019-7524
In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components. En Dovecot, en versiones anteriores a la 2.2.36.3 y en las 2.3.x anteriores a la 2.3.5.1, un atacante local puede provocar un desbordamiento de búfer en el proceso "indexer-worker", que se podría utilizar para elevar a root. Esto ocurre debido a la falta de comprobaciones en los componentes fts y pop3-uidl. • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00060.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html http://www.openwall.com/lists/oss-security/2019/03/28/1 http://www.securityfocus.com/bid/107672 https://dovecot.org/list/dovecot-news/2019-March/000403.html https://dovecot.org/security.html https://lists.debian.org/debian-lts-announce/2019/03/msg00038.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.o • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-284: Improper Access Control •
CVSS: 7.7EPSS: 0%CPEs: 8EXPL: 1CVE-2019-3814 – dovecot: Improper certificate validation
https://notcve.org/view.php?id=CVE-2019-3814
It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users. Se ha descubierto que Dovecot, en versiones anteriores a la 2.2.36.1 y 2.3.4.1, gestiona de manera incorrecta los certificados del cliente. Un atacante remoto en posesión de un certificado válido con un campo "username" vacío podría emplear este problema para suplantar a otros usuarios. It was discovered that Dovecot incorrectly handled client certificates. • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html https://access.redhat.com/errata/RHSA-2019:3467 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS https://security.gentoo.org/glsa/201904-19 https://www.dovecot.org/list/dovecot/2019-Feb • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2017-15132
https://notcve.org/view.php?id=CVE-2017-15132
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion. Se ha detectado un fallo en dovecot desde la versión 2.0 hasta la 2.2.33 y 2.3.0. El aborto de una autenticación SASL resulta en una fuga de memoria en el cliente de autenticación de dovecot utilizado por los procesos de inicio de sesión. • https://bugzilla.redhat.com/show_bug.cgi?id=1532768 https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html https://usn.ubuntu.com/3556-1 https://usn.ubuntu.com/3556-2 https://www.debian.org/security/2018/dsa-4130 https://www.dovecot.org/list/dovecot-news/2018-February/000370.html • CWE-400: Uncontrolled Resource Consumption CWE-772: Missing Release of Resource after Effective Lifetime •