---

CVE-2020-25275 - log back

CVE-2020-25275 edited at 05 Jan 2021 07:46:20
Type	- Information disclosure + Denial of service

CVE-2020-25275 edited at 05 Jan 2021 07:45:43
Description	- A security issue was discovered in dovecot version 2.2.26 up to 2.3.11.3. When imap hibernation is active, an attacker can cause dovecot to discover the file system directory structure and access other users' emails using a specially crafted command. The attacker must have valid credentials to access the mail server. The issue is fixed in dovecot version 2.3.13. + A security issue was discovered in dovecot version 2.3.11 up to 2.3.11.3. Mail delivery/parsing crashed when the 10 000th MIME part was message/rfc822 (or if its parent was multipart/digest). This happened due to earlier MIME parsing changes for CVE-2020-12100. Malicious senders could crash dovecot repeatedly by sending/uploading messages with more than 10 000 MIME parts. The issue is fixed in dovecot version 2.3.13.
References	https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html - https://github.com/dovecot/core/commit/00df2308b0733e810824545183d73276c416cdd3 - https://github.com/dovecot/core/commit/b4a9872b833b7985c7d0e7615f1b7fc812dd4c55 + https://github.com/dovecot/core/commit/67f792cb98267ee74c425772e766e7a2525c0d8f + https://github.com/dovecot/core/commit/6ae93c3936fc870c313a6fdf44a0999d4129d9b8

CVE-2020-25275 edited at 04 Jan 2021 14:15:09
References	https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html https://github.com/dovecot/core/commit/00df2308b0733e810824545183d73276c416cdd3 + https://github.com/dovecot/core/commit/b4a9872b833b7985c7d0e7615f1b7fc812dd4c55

CVE-2020-25275 edited at 04 Jan 2021 13:12:40
References	- https://www.openwall.com/lists/oss-security/2021/01/04/4 + https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html https://github.com/dovecot/core/commit/00df2308b0733e810824545183d73276c416cdd3

CVE-2020-25275 edited at 04 Jan 2021 12:45:21
References	https://www.openwall.com/lists/oss-security/2021/01/04/4 + https://github.com/dovecot/core/commit/00df2308b0733e810824545183d73276c416cdd3

CVE-2020-25275 edited at 04 Jan 2021 12:38:53
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Information disclosure
Description	+ A security issue was discovered in dovecot version 2.2.26 up to 2.3.11.3. When imap hibernation is active, an attacker can cause dovecot to discover the file system directory structure and access other users' emails using a specially crafted command. The attacker must have valid credentials to access the mail server. The issue is fixed in dovecot version 2.3.13.
References	+ https://www.openwall.com/lists/oss-security/2021/01/04/4
Notes	+ Workaround + ========== + + Operators can choose to disable IMAP hibernation. IMAP hibernation is not on by default. To ensure imap hibernation is disabled, make sure imap_hibernate_timeout is set to 0 or unset.

CVE-2020-25275 created at 04 Jan 2021 12:31:22