CVE-2019-10691 — Improper Handling of Syntactically Invalid Structure in Dovecot

CWE-228 — Improper Handling of Syntactically Invalid Structure8 documents7 sources

Severity

7.5HIGHNVD

EPSS

1.6%

top 18.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Debian Dovecot Opensuse Leap

Timeline

PublishedApr 24

Latest updateMay 24

Description

The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/dovecot< dovecot 1:2.3.4.1-4 (bookworm)

▶NVDdovecot/dovecot< 2.3.5.2

▶Debiandovecot/dovecot< 1:2.3.4.1-4+3

▶NVDopensuse/leap15.0

🔴Vulnerability Details

GHSA

GHSA-7m29-wr8r-5c2m: The JSON encoder in Dovecot before 2↗2022-05-24

▶

OSV

CVE-2019-10691: The JSON encoder in Dovecot before 2↗2019-04-24

▶

📋Vendor Advisories

Ubuntu

Dovecot vulnerability↗2019-04-23

▶

Red Hat

dovecot: Mishandling invalid UTF-8 characters by JSON encoder leading to possible DoS attack.↗2019-04-18

▶

Debian

CVE-2019-10691: dovecot - The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash ...↗2019

▶

💬Community

Bugzilla

CVE-2019-10691 dovecot: Mishandling invalid UTF-8 characters by JSON encoder leading to possible DoS attack. [fedora-all]↗2019-04-18

▶

Bugzilla

CVE-2019-10691 dovecot: Mishandling invalid UTF-8 characters by JSON encoder leading to possible DoS attack.↗2019-04-18

▶