CVE-2021-29157

Ubuntu Security Notice USN-4993-1

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.

Dovecot versiones anteriores a 2.3.15, permite un Salto de Ruta ../. Un atacante con acceso al sistema de archivos local puede engañar a la autenticación OAuth2 en usar una clave de comprobación HS256 desde una ubicación controlada por el atacante. Esto ocurre durante el uso de la comprobación JWT local con el controlador posix fs

Kirin discovered that Dovecot incorrectly escaped kid and azp fields in JWT tokens. A local attacker could possibly use this issue to validate tokens using arbitrary keys. This issue only affected Ubuntu 20.10 and Ubuntu 21.04. Fabian Ising and Damian Poddebniak discovered that Dovecot incorrectly handled STARTTLS when using the SMTP submission service. A remote attacker could possibly use this issue to inject plaintext commands before STARTTLS negotiation. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-03-25 CVE Reserved
2021-06-21 CVE Published
2024-08-03 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (5)

URL	Tag	Source
https://www.openwall.com/lists/oss-security/2021/06/28/1	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://dovecot.org/security	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JB2VTJ3G2ILYWH5Y2FTY2PUHT2MD6VMI	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TK424DWFO2TKJYXZ2H3XL633TYJL4GQN	2023-11-07
https://security.gentoo.org/glsa/202107-41	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Dovecot Search vendor "Dovecot"		Dovecot Search vendor "Dovecot" for product "Dovecot"				>= 2.3.11 < 2.3.14.1 Search vendor "Dovecot" for product "Dovecot" and version " >= 2.3.11 < 2.3.14.1"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected