Filtered by vendor Dovecot
Subscriptions
Total
53 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2010-0745 | 1 Dovecot | 1 Dovecot | 2024-08-07 | N/A |
Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows remote attackers to cause a denial of service (CPU consumption) via long headers in an e-mail message. | ||||
CVE-2011-4318 | 2 Dovecot, Redhat | 2 Dovecot, Enterprise Linux | 2024-08-07 | N/A |
Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname. | ||||
CVE-2011-2166 | 2 Dovecot, Redhat | 2 Dovecot, Enterprise Linux | 2024-08-06 | N/A |
script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script. | ||||
CVE-2011-2167 | 2 Dovecot, Redhat | 2 Dovecot, Enterprise Linux | 2024-08-06 | N/A |
script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script. | ||||
CVE-2011-1929 | 2 Dovecot, Redhat | 2 Dovecot, Enterprise Linux | 2024-08-06 | N/A |
lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle '\0' characters in header names, which allows remote attackers to cause a denial of service (daemon crash or mailbox corruption) via a crafted e-mail message. | ||||
CVE-2013-6171 | 1 Dovecot | 1 Dovecot | 2024-08-06 | N/A |
checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server. | ||||
CVE-2013-2111 | 1 Dovecot | 1 Dovecot | 2024-08-06 | N/A |
The IMAP functionality in Dovecot before 2.2.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via invalid APPEND parameters. | ||||
CVE-2014-3430 | 2 Dovecot, Redhat | 2 Dovecot, Enterprise Linux | 2024-08-06 | N/A |
Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection. | ||||
CVE-2015-3420 | 2 Dovecot, Fedoraproject | 2 Dovecot, Fedora | 2024-08-06 | N/A |
The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service (login process crash) via vectors related to handshake failures. | ||||
CVE-2016-8652 | 1 Dovecot | 1 Dovecot | 2024-08-06 | N/A |
The auth component in Dovecot before 2.2.27, when auth-policy is configured, allows a remote attackers to cause a denial of service (crash) by aborting authentication without setting a username. | ||||
CVE-2016-4983 | 3 Dovecot, Opensuse, Redhat | 4 Dovecot, Leap, Opensuse and 1 more | 2024-08-06 | 3.3 Low |
A postinstall script in the dovecot rpm allows local users to read the contents of newly created SSL/TLS key files. | ||||
CVE-2017-2669 | 2 Debian, Dovecot | 2 Debian Linux, Dovecot | 2024-08-05 | N/A |
Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang. | ||||
CVE-2019-19722 | 2 Dovecot, Fedoraproject | 2 Dovecot, Fedora | 2024-08-05 | 5.3 Medium |
In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient. | ||||
CVE-2019-11500 | 4 Debian, Dovecot, Fedoraproject and 1 more | 5 Debian Linux, Dovecot, Pigeonhole and 2 more | 2024-08-04 | N/A |
In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution. | ||||
CVE-2019-11499 | 3 Dovecot, Fedoraproject, Opensuse | 3 Dovecot, Fedora, Leap | 2024-08-04 | 7.5 High |
In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message. | ||||
CVE-2019-11494 | 3 Dovecot, Fedoraproject, Opensuse | 3 Dovecot, Fedora, Leap | 2024-08-04 | 7.5 High |
In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command. | ||||
CVE-2019-10691 | 2 Dovecot, Opensuse | 2 Dovecot, Leap | 2024-08-04 | N/A |
The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username. | ||||
CVE-2019-7524 | 5 Canonical, Debian, Dovecot and 2 more | 5 Ubuntu Linux, Debian Linux, Dovecot and 2 more | 2024-08-04 | N/A |
In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components. | ||||
CVE-2019-3814 | 4 Canonical, Dovecot, Opensuse and 1 more | 4 Ubuntu Linux, Dovecot, Leap and 1 more | 2024-08-04 | N/A |
It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users. | ||||
CVE-2020-28200 | 2 Dovecot, Fedoraproject | 2 Dovecot, Fedora | 2024-08-04 | 4.3 Medium |
The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension. |