A security issue has been found in Dovecot before version 188.8.131.52. The kid and azp fields in JWT tokens are not correctly escaped. This may be used to supply attacker controlled keys to validate tokens in some configurations. The attack requires an attacker to be able to write files to the local disk. As a result, a local attacker can login as any user and access their emails.
|22 Jun 2021||ASA-202106-56||AVG-2087||dovecot||High||information disclosure|
Workaround ========== Disable local JWT validation in oauth2, or use a different dict driver than fs:posix.