CVE-2019-10691 log

Severity Medium
Remote Yes
Type Denial of service
JSON encoder in Dovecot 2.3 incorrectly assert-crashes when encountering invalid UTF-8 characters. This can be used to crash dovecot in two ways. Attacker can repeatedly crash Dovecot authentication process by logging in using invalid UTF-8 sequence in username. This requires that auth policy is enabled. Crash can also occur if OX push notification driver is enabled and an email is delivered with invalid UTF-8 sequence in From or Subject header. In 2.2, malformed UTF-8 sequences are forwarded "as-is", and thus do not cause problems in Dovecot itself. Target systems should be checked for possible problems in dealing with such sequences.
Group Package Affected Fixed Severity Status Ticket
AVG-950 dovecot Medium Fixed
Date Advisory Group Package Severity Type
18 Apr 2019 ASA-201904-9 AVG-950 dovecot Medium denial of service