Dovecot
By the Year
In 2024 there have been 0 vulnerabilities in Dovecot . Dovecot did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 1 | 8.80 |
| 2021 | 5 | 5.78 |
| 2020 | 8 | 6.68 |
| 2019 | 7 | 7.46 |
| 2018 | 1 | 7.10 |
It may take a day or so for new Dovecot vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Dovecot Security Vulnerabilities
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20
CVE-2022-30550
8.8 - High
- July 17, 2022
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.
authentification
The Sieve engine in Dovecot before 2.3.15
CVE-2020-28200
4.3 - Medium
- June 28, 2021
The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.
Allocation of Resources Without Limits or Throttling
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp
CVE-2021-33515
4.8 - Medium
- June 28, 2021
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.
Command Injection
Dovecot before 2.3.15 allows
CVE-2021-29157
5.5 - Medium
- June 28, 2021
Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.
Directory traversal
An issue was discovered in Dovecot before 2.3.13
CVE-2020-24386
6.8 - Medium
- January 04, 2021
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).
Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash
CVE-2020-25275
7.5 - High
- January 04, 2021
Dovecot before 2.3.13 has Improper Input Validation in lda, lmtp, and imap, leading to an application crash via a crafted email message with certain choices for ten thousand MIME parts.
Improper Input Validation
In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda
CVE-2020-12100
7.5 - High
- August 12, 2020
In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.
Stack Exhaustion
In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service
CVE-2020-12673
7.5 - High
- August 12, 2020
In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read.
Out-of-bounds Read
In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service
CVE-2020-12674
7.5 - High
- August 12, 2020
In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.
Out-of-bounds Read
In Dovecot before 2.3.10.1, remote unauthenticated attackers
CVE-2020-10967
5.3 - Medium
- May 18, 2020
In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart.
Improper Input Validation
In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP comm
CVE-2020-10957
7.5 - High
- May 18, 2020
In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp.
NULL Pointer Dereference
In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and
CVE-2020-10958
5.3 - Medium
- May 18, 2020
In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command.
Dangling pointer
The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists
CVE-2020-7957
5.3 - Medium
- February 12, 2020
The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a denial of service in which the recipient cannot read all of their messages.
Improper Input Validation
lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters
CVE-2020-7046
7.5 - High
- February 12, 2020
lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop.
Infinite Loop
In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used
CVE-2019-19722
5.3 - Medium
- December 13, 2019
In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.
NULL Pointer Dereference
In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings
CVE-2019-11500
9.8 - Critical
- August 29, 2019
In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.
Memory Corruption
In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2
CVE-2019-11494
7.5 - High
- May 08, 2019
In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command.
NULL Pointer Dereference
In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2
CVE-2019-11499
7.5 - High
- May 08, 2019
In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message.
The JSON encoder in Dovecot before 2.3.5.2
CVE-2019-10691
7.5 - High
- April 24, 2019
The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username.
In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process
CVE-2019-7524
7.8 - High
- March 28, 2019
In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components.
Buffer Overflow
It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates
CVE-2019-3814
6.8 - Medium
- March 27, 2019
It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.
Improper Certificate Validation
A specially crafted email delivered over SMTP and passed on to Dovecot by MTA
CVE-2017-14461
7.1 - High
- March 02, 2018
A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server.
Information Disclosure
Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which
CVE-2009-3897
5.5 - Medium
- November 24, 2009
Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.
Incorrect Permission Assignment for Critical Resource
The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which
CVE-2008-4577
7.5 - High
- October 15, 2008
The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
AuthZ
