CVE-2021-29157 log

Severity Medium
Remote No
Type Information disclosure
A security issue has been found in Dovecot before version The kid and azp fields in JWT tokens are not correctly escaped. This may be used to supply attacker controlled keys to validate tokens in some configurations. The attack requires an attacker to be able to write files to the local disk. As a result, a local attacker can login as any user and access their emails.
Group Package Affected Fixed Severity Status Ticket
AVG-2087 dovecot 2.3.14-2 2.3.15-1 High Fixed
Date Advisory Group Package Severity Type
22 Jun 2021 ASA-202106-56 AVG-2087 dovecot High information disclosure

Disable local JWT validation in oauth2, or use a different dict driver than fs:posix.