CVE-2015-3420 — Improper Certificate Validation in Dovecot

CWE-295 — Improper Certificate Validation CWE-391 — Unchecked Error Condition8 documents7 sources

Severity

5.9MEDIUMNVD

EPSS

7.6%

top 8.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Debian Dovecot Fedoraproject Fedora

Timeline

PublishedSep 19

Latest updateMay 17

Description

The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service (login process crash) via vectors related to handshake failures.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/dovecot< dovecot 1:2.2.13-12 (bookworm)

▶Debiandovecot/dovecot< 1:2.2.13-12+3

▶NVDdovecot/dovecot2.2.16

Also affects: Fedora 20, 21, 22

🔴Vulnerability Details

GHSA

GHSA-2h34-774g-95vx: The ssl-proxy-openssl↗2022-05-17

▶

OSV

CVE-2015-3420: The ssl-proxy-openssl↗2017-09-19

▶

📋Vendor Advisories

Red Hat

dovecot: SSL/TLS handshake failures leading to a crash of the login process.↗2015-04-26

▶

Debian

CVE-2015-3420: dovecot - The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disable...↗2015

▶

📄Research Papers

arXiv

No Need for Black Chambers: Testing TLS in the E-mail Ecosystem at Large↗2015-11-01

▶

💬Community

Bugzilla

CVE-2015-3420 dovecot: SSL/TLS handshake failures leading to a crash of the login process. [fedora-all]↗2015-04-28

▶

Bugzilla

CVE-2015-3420 dovecot: SSL/TLS handshake failures leading to a crash of the login process.↗2015-04-28

▶