Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Dovecot
(Dovecot)| Repositories | https://github.com/dovecot/core |
| #Vulnerabilities | 54 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-03-28 | CVE-2019-7524 | In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components. | Ubuntu_linux, Debian_linux, Dovecot, Leap | 7.8 | ||
| 2019-04-24 | CVE-2019-10691 | The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username. | Dovecot, Leap | 7.5 | ||
| 2019-05-08 | CVE-2019-11499 | In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message. | Dovecot, Fedora, Leap | 7.5 | ||
| 2019-05-08 | CVE-2019-11494 | In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command. | Dovecot, Fedora, Leap | 7.5 | ||
| 2019-08-29 | CVE-2019-11500 | In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution. | Debian_linux, Dovecot, Pigeonhole, Fedora | 9.8 | ||
| 2019-12-13 | CVE-2019-19722 | In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient. | Dovecot, Fedora | 5.3 | ||
| 2020-05-18 | CVE-2020-10957 | In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp. | Dovecot | 7.5 | ||
| 2020-05-18 | CVE-2020-10958 | In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command. | Dovecot | 5.3 | ||
| 2020-05-18 | CVE-2020-10967 | In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart. | Dovecot | 5.3 | ||
| 2020-08-12 | CVE-2020-12100 | In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts. | Ubuntu_linux, Debian_linux, Dovecot, Fedora | 7.5 |