CVE-2019-11500 |
AVG-1026 |
Critical |
Yes |
Arbitrary code execution |
IMAP and ManageSieve protocol parsers in Dovecot before 2.3.7.2 and Pigeonhole before 0.5.7.2 do not properly handle NUL byte when scanning data in quoted... |
CVE-2019-11499 |
AVG-954 |
Medium |
Yes |
Denial of service |
Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent. This can lead to... |
CVE-2019-11494 |
AVG-954 |
Medium |
Yes |
Denial of service |
Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting. This can lead to denial-of service... |
CVE-2019-10691 |
AVG-950 |
Medium |
Yes |
Denial of service |
JSON encoder in Dovecot 2.3 incorrectly assert-crashes when encountering invalid UTF-8 characters. This can be used to crash dovecot in two ways. Attacker... |
CVE-2019-7524 |
AVG-944 |
High |
No |
Privilege escalation |
A stack-based buffer overflow has been found in Dovecot versions prior to 2.3.5.1. When reading FTS or POP3-UIDL header from dovecot index, the input buffer... |
CVE-2019-3814 |
AVG-872 |
High |
Yes |
Authentication bypass |
A vulnerability has been found in Dovecot versions prior to 2.3.4.1, allowing a remote client in possession of a trusted SSL certificate to log in as any... |
CVE-2017-15132 |
AVG-645 |
Medium |
Yes |
Denial of service |
A flaw was found in dovecot before 2.2.34 and 2.3.0.1. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login... |
CVE-2017-15130 |
AVG-645 |
Medium |
Yes |
Denial of service |
A denial of service flaw was found in dovecot before 2.2.34 and 2.3.0.1. An attacker able to generate random SNI server names could exploit TLS SNI... |
CVE-2017-14461 |
AVG-645 |
High |
Yes |
Information disclosure |
A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information... |
CVE-2017-2669 |
AVG-238 |
Medium |
Yes |
Denial of service |
A security issue has been found in Dovecot >= 2.2.26 and <= 2.2.28. If the "dict" passdb is used for authentication, the username sent by the client is... |
CVE-2016-8652 |
AVG-94 |
Medium |
Yes |
Denial of service |
If the auth-policy component has been activated in Dovecot, then a remote user is able to use SASL authentication to crash the auth component. Workaround is... |