Product:

Dovecot

(Dovecot)
Repositories https://github.com/dovecot/core
#Vulnerabilities 44
Date ID Summary Products Score Patch
2020-05-18 CVE-2020-10967 In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart. Dovecot N/A
2020-05-18 CVE-2020-10958 In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command. Dovecot N/A
2020-05-18 CVE-2020-10957 In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp. Dovecot N/A
2020-02-12 CVE-2020-7957 The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. This causes a denial of service in which the recipient cannot read all of their messages. Dovecot N/A
2020-02-12 CVE-2020-7046 lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop. Dovecot N/A
2019-12-13 CVE-2019-19722 In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient. Dovecot N/A
2019-11-05 CVE-2016-4983 A postinstall script in the dovecot rpm allows local users to read the contents of newly created SSL/TLS key files. Dovecot, Leap, Opensuse, Enterprise_linux N/A
2018-06-21 CVE-2017-2669 Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang. Debian_linux, Dovecot 7.5
2018-01-25 CVE-2017-15132 A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion. Ubuntu_linux, Debian_linux, Dovecot 7.5
2018-03-02 CVE-2017-15130 A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart. Ubuntu_linux, Debian_linux, Dovecot 5.9