dovecot

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description An IMAP and POP3 server written with security primarily in mind
Version 2.3.20-1 [community]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2777 2.3.19.1-1 2.3.20-1 Unknown Fixed
AVG-2087 2.3.14-2 2.3.15-1 High Fixed
AVG-1398 2.3.11.3-3 2.3.13-1 High Fixed
AVG-1162 2.3.10-2 2.3.10.1-1 High Fixed
AVG-1097 2.3.9.2-1 2.3.9.3-1 Medium Fixed
AVG-1026 2.3.7.1-1 2.3.7.2-1 Critical Fixed
AVG-954 2.3.5.2-1 2.3.6-1 Medium Fixed
AVG-950 2.3.5.1-4 2.3.5.2-1 Medium Fixed
AVG-944 2.3.5-2 2.3.5.1-1 High Fixed
AVG-872 2.3.4-3 2.3.4.1-1 High Fixed
AVG-645 2.3.0-2 2.3.0.1-1 High Fixed
AVG-238 2.2.28-3 2.2.29.1-1 Medium Fixed
AVG-94 0.0-1 2.2.27-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2022-30550 AVG-2777 Unknown Unknown Unknown Unknown
CVE-2021-33515 AVG-2087 High Yes Information disclosure 
A security issue has been found in Dovecot before version 2.3.14.1. An on-path attacker could inject plaintext commands before the STARTTLS negotiation that...
CVE-2021-29157 AVG-2087 Medium No Information disclosure 
A security issue has been found in Dovecot before version 2.3.14.1. The kid and azp fields in JWT tokens are not correctly escaped. This may be used to...
CVE-2020-25275 AVG-1398 Medium Yes Denial of service 
A security issue was discovered in dovecot version 2.3.11 up to 2.3.11.3. Mail delivery/parsing crashed when the 10 000th MIME part was message/rfc822 (or...
CVE-2020-24386 AVG-1398 High Yes Information disclosure 
A security issue was discovered in dovecot version 2.2.26 up to 2.3.11.3. When imap hibernation is active, an attacker can cause dovecot to discover the...
CVE-2020-10967 AVG-1162 Medium Yes Denial of service 
A security issue has been found in Dovecot before 2.3.10.1 in the lmtp/submission component. An authenticated attacker could send an e-mail via the...
CVE-2020-10958 AVG-1162 High Yes Arbitrary code execution 
A security issue has been found in Dovecot before 2.3.10.1 in the lmtp/submission component. Sending many invalid or unknown commands can cause the server...
CVE-2020-10957 AVG-1162 High Yes Denial of service 
A NULL-pointer dereference issue has been found in Dovecot before 2.3.10.1 in the lmtp/submission component. A client can crash the server by sending a NOOP...
CVE-2020-7957 AVG-1097 Medium Yes Denial of service 
A denial of service have been found in Dovecot before 2.3.9.3, where a specially crafted e-mail can cause a mailbox to have permanently inaccessible mail,...
CVE-2020-7046 AVG-1097 Medium Yes Denial of service 
A denial of service has been found in Dovecot before 2.3.9.3, where lib-smtp doesn't handle truncated command parameters properly, resulting in infinite...
CVE-2019-11500 AVG-1026 Critical Yes Arbitrary code execution 
IMAP and ManageSieve protocol parsers in Dovecot before 2.3.7.2 and Pigeonhole before 0.5.7.2 do not properly handle NUL byte when scanning data in quoted...
CVE-2019-11499 AVG-954 Medium Yes Denial of service 
Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent. This can lead to...
CVE-2019-11494 AVG-954 Medium Yes Denial of service 
Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting. This can lead to denial-of service...
CVE-2019-10691 AVG-950 Medium Yes Denial of service 
JSON encoder in Dovecot 2.3 incorrectly assert-crashes when encountering invalid UTF-8 characters. This can be used to crash dovecot in two ways. Attacker...
CVE-2019-7524 AVG-944 High No Privilege escalation 
A stack-based buffer overflow has been found in Dovecot versions prior to 2.3.5.1. When reading FTS or POP3-UIDL header from dovecot index, the input buffer...
CVE-2019-3814 AVG-872 High Yes Authentication bypass 
A vulnerability has been found in Dovecot versions prior to 2.3.4.1, allowing a remote client in possession of a trusted SSL certificate to log in as any...
CVE-2017-15132 AVG-645 Medium Yes Denial of service 
A flaw was found in dovecot before 2.2.34 and 2.3.0.1. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login...
CVE-2017-15130 AVG-645 Medium Yes Denial of service 
A denial of service flaw was found in dovecot before 2.2.34 and 2.3.0.1. An attacker able to generate random SNI server names could exploit TLS SNI...
CVE-2017-14461 AVG-645 High Yes Information disclosure 
A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information...
CVE-2017-2669 AVG-238 Medium Yes Denial of service 
A security issue has been found in Dovecot >= 2.2.26 and <= 2.2.28. If the "dict" passdb is used for authentication, the username sent by the client is...
CVE-2016-8652 AVG-94 Medium Yes Denial of service 
If the auth-policy component has been activated in Dovecot, then a remote user is able to use SASL authentication to crash the auth component. Workaround is...

Advisories

Date Advisory Group Severity Type
22 Jun 2021 ASA-202106-56 AVG-2087 High information disclosure
04 Jan 2021 ASA-202101-4 AVG-1398 High multiple issues
19 May 2020 ASA-202005-9 AVG-1162 High multiple issues
12 Feb 2020 ASA-202002-6 AVG-1097 Medium denial of service
28 Aug 2019 ASA-201908-18 AVG-1026 Critical arbitrary code execution
06 May 2019 ASA-201905-6 AVG-954 Medium denial of service
18 Apr 2019 ASA-201904-9 AVG-950 Medium denial of service
28 Mar 2019 ASA-201903-16 AVG-944 High privilege escalation
06 Feb 2019 ASA-201902-1 AVG-872 High authentication bypass
06 Mar 2018 ASA-201803-7 AVG-645 High multiple issues
01 May 2017 ASA-201705-1 AVG-238 Medium denial of service