Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Dovecot
(Dovecot)| Repositories | https://github.com/dovecot/core |
| #Vulnerabilities | 54 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-05-08 | CVE-2019-11499 | In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message. | Dovecot, Fedora, Leap | 7.5 | ||
| 2019-05-08 | CVE-2019-11494 | In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command. | Dovecot, Fedora, Leap | 7.5 | ||
| 2019-08-29 | CVE-2019-11500 | In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution. | Debian_linux, Dovecot, Pigeonhole, Fedora | 9.8 | ||
| 2019-12-13 | CVE-2019-19722 | In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient. | Dovecot, Fedora | 5.3 | ||
| 2020-05-18 | CVE-2020-10957 | In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp. | Dovecot | 7.5 | ||
| 2020-05-18 | CVE-2020-10958 | In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command. | Dovecot | 5.3 | ||
| 2020-05-18 | CVE-2020-10967 | In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart. | Dovecot | 5.3 | ||
| 2020-08-12 | CVE-2020-12100 | In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts. | Ubuntu_linux, Debian_linux, Dovecot, Fedora | 7.5 | ||
| 2018-03-02 | CVE-2017-14461 | A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. In order to trigger this vulnerability, an attacker needs to send a specially crafted email message to the server. | Debian_linux, Dovecot, Ubuntu | 7.1 | ||
| 2008-11-01 | CVE-2008-4870 | dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value. | Dovecot | N/A |