Lucene search
Aki Tuomi1337DAY-ID-35646HistoryJan 07, 2021 - 12:00 a.m.
Dovecot 2.3.11.3 Denial Of Service Vulnerability
2021-01-0700:00:00
Aki Tuomi
0day.today
41
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.036 Low
EPSS
Percentile
91.7%
Dovecot 2.3.11.3 Denial Of Service Vulnerability
Vendor: OX Software GmbH
Internal reference: DOV-4113 (Bug ID)
Vulnerability type: CWE-20: Improper Input Validation
Vulnerable version: 2.3.11-2.3.11.3
Vulnerable component: lda, lmtp, imap
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.3.13
Vendor notification: 2020-09-10
Solution date: 2020-09-14
Public disclosure: 2021-01-04
CVE reference: CVE-2020-25275
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Researcher credit: Innokentii Sennovskiy (Rumata888) from BI.ZONE
Vulnerability Details:
Mail delivery / parsing crashed when the 10 000th MIME part was
message/rfc822 (or if parent was multipart/digest). This happened
due to earlier MIME parsing changes for CVE-2020-12100.
Risk:
Malicious sender can crash dovecot repeatedly by sending / uploading
message with more than 10 000 MIME parts.
Workaround:
These are usually dropped by MTA, where the mitigation can also be applied.
Solution:
Operators should update to 2.3.13 or later version.
Related
cloudlinux
cloudlinux
Fix of CVE: CVE-2020-25275, CVE-2020-12100
2021-10-18 16:15:45
Fix of CVE: CVE-2020-25275, CVE-2020-12100
2021-10-07 15:19:39
openvas
openvas
Dovecot 2.3.11 - 2.3.11.3 DoS Vulnerability
2021-01-14 00:00:00
SUSE: Security Advisory (SUSE-SU-2021:0027-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2021:0029-1)
2021-04-19 00:00:00
freebsd
freebsd
mail/dovecot -- multiple vulnerabilities
2020-08-17 00:00:00
mail/dovecot -- multiple vulnerabilities
2020-04-23 00:00:00
nessus
nessus
SUSE SLES15 Security Update : dovecot23 (SUSE-SU-2021:0029-1)
2021-01-06 00:00:00
openSUSE Security Update : dovecot23 (openSUSE-2021-26)
2021-01-25 00:00:00
openSUSE Security Update : dovecot23 (openSUSE-2021-72)
2021-01-25 00:00:00
debian
debian
[SECURITY] [DSA 4825-1] dovecot security update
2021-01-04 15:23:59
[SECURITY] [DSA 4825-1] dovecot security update
2021-01-04 15:23:59
[SECURITY] [DLA 2517-1] dovecot security update
2021-01-05 16:41:18
archlinux
archlinux
[ASA-202101-4] dovecot: multiple issues
2021-01-04 00:00:00
suse
suse
Security update for dovecot23 (important)
2021-01-16 00:00:00
Security update for dovecot23 (important)
2021-01-07 00:00:00
Security update for dovecot23 (moderate)
2021-09-01 00:00:00
ubuntucve
ubuntucve
CVE-2020-25275
2021-01-04 00:00:00
CVE-2020-12100
2020-08-12 00:00:00
prion
prion
Input validation
2021-01-04 17:15:00
Design/Logic Flaw
2020-08-12 16:15:00
debiancve
debiancve
CVE-2020-12100
2020-08-12 16:15:11
CVE-2020-25275
2021-01-04 17:15:13
cvelist
cvelist
CVE-2020-12100
2020-08-12 15:07:52
CVE-2020-25275
2021-01-04 16:19:08
veracode
veracode
Denial Of Service (DoS)
2021-01-15 16:41:13
Denial Of Service (DoS)
2020-08-18 08:22:29
alpinelinux
alpinelinux
CVE-2020-25275
2021-01-04 17:15:13
CVE-2020-12100
2020-08-12 16:15:11
nvd
nvd
CVE-2020-25275
2021-01-04 17:15:13
CVE-2020-12100
2020-08-12 16:15:11
hackerone
hackerone
redhatcve
redhatcve
CVE-2020-25275
2021-01-04 15:00:19
CVE-2020-12100
2020-08-13 04:13:30
cve
cve
CVE-2020-25275
2021-01-04 17:15:13
CVE-2020-12100
2020-08-12 16:15:11
ubuntu
ubuntu
Dovecot vulnerability
2021-01-04 00:00:00
Dovecot vulnerabilities
2021-01-04 00:00:00
Dovecot vulnerabilities
2020-08-17 00:00:00
osv
osv
CVE-2020-12100
2020-08-12 16:15:11
dovecot vulnerability
2021-01-04 17:51:52
CVE-2020-25275
2021-01-04 17:15:13
fedora
fedora
[SECURITY] Fedora 32 Update: dovecot-2.3.13-2.fc32
2021-01-20 01:27:57
[SECURITY] Fedora 31 Update: dovecot-2.3.11.3-4.fc31
2020-09-03 16:27:31
[SECURITY] Fedora 33 Update: dovecot-2.3.11.3-5.fc33
2020-09-25 17:07:13
almalinux
almalinux
Moderate: dovecot security and bug fix update
2021-05-18 06:19:41
altlinux
altlinux
Security fix for the ALT Linux 9 package dovecot version 2.3.13-alt1
2021-01-18 00:00:00
Security fix for the ALT Linux 9 package dovecot version 2.3.11.3-alt1
2020-12-07 00:00:00
mageia
mageia
Updated dovecot packages fix security vulnerabilities
2021-01-08 16:59:29
Updated dovecot packages fix security vulnerability
2020-08-18 20:41:27
redhat
redhat
(RHSA-2021:1887) Moderate: dovecot security and bug fix update
2021-05-18 06:19:41
(RHSA-2020:3713) Important: dovecot security update
2020-09-10 12:36:17
(RHSA-2020:3735) Important: dovecot security update
2020-09-14 12:27:13
oraclelinux
oraclelinux
dovecot security and bug fix update
2021-05-25 00:00:00
dovecot security update
2020-09-11 00:00:00
dovecot security update
2020-09-03 00:00:00
gentoo
gentoo
Dovecot: Multiple vulnerabilities
2021-01-10 00:00:00
Dovecot: Multiple vulnerabilities
2020-09-06 00:00:00
centos
centos
dovecot security update
2020-09-14 14:40:04
amazon
amazon
Important: dovecot
2020-09-15 17:18:00
Important: dovecot
2020-10-26 17:59:00
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.036 Low
EPSS
Percentile
91.7%
Related for 1337DAY-ID-35646