CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
72.3%
A vulnerability was found in the Dovecot IMAP Server. When two passdb configuration entries exist in the Dovecot configuration, which have the same driver and args settings, the incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrect settings can lead to an unintended security configuration and can permit privilege escalation with certain configurations involving a master user authentication. If the same passwd file or PAM is used for both normal and master users, an attacker could easily become a master user, potentially escalating privileges on the system.
Always authenticate master users from a different source than regular users, for example, use a separate passwd file. Alternatively, you can use global ACLs to ensure that only legitimate master users have privileged access.