CVE-2014-3430 — Improper Authentication in Dovecot

CWE-287 — Improper Authentication CWE-400 — Uncontrolled Resource Consumption8 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

8.3%

top 7.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Debian Dovecot

Timeline

PublishedMay 14

Latest updateMay 14

Description

Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/dovecot< dovecot 1:2.2.13~rc1-1 (bookworm)

▶Debiandovecot/dovecot< 1:2.2.13~rc1-1+3

▶NVDdovecot/dovecot70 versions+69

Patches

Patch: dovecot.org ↗Patch: permalink.gmane.org ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-45g3-59h2-54v9: Dovecot 1↗2022-05-14

▶

OSV

CVE-2014-3430: Dovecot 1↗2014-05-14

▶

📋Vendor Advisories

Ubuntu

Dovecot vulnerability↗2014-05-15

▶

Red Hat

dovecot: denial of service through maxxing out SSL connections↗2014-05-09

▶

Debian

CVE-2014-3430: dovecot - Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12....↗2014

▶

💬Community

Bugzilla

CVE-2014-3430 dovecot: denial of service through maxxing out SSL connections↗2014-05-09

▶

Bugzilla

CVE-2014-3430 dovecot: denial of service through maxxing out SSL connections [fedora-all]↗2014-05-09

▶