CVE-2019-19722 — NULL Pointer Dereference in Dovecot

CWE-476 — NULL Pointer Dereference7 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

1.4%

top 19.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Fedoraproject Fedora Debian Dovecot

Timeline

PublishedDec 13

Latest updateMay 24

Description

In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDdovecot/dovecot< 2.3.9.2

▶Alpinedovecot/dovecot< 2.3.9.2-r0+12

▶debiandebian/dovecot

Also affects: Fedora 30, 31

🔴Vulnerability Details

GHSA

GHSA-cpfv-hj4g-93jr: In Dovecot before 2↗2022-05-24

▶

OSV

CVE-2019-19722: In Dovecot before 2↗2019-12-13

▶

📋Vendor Advisories

Red Hat

dovecot: null pointer dereference in push notification driver↗2019-12-13

▶

Debian

CVE-2019-19722: dovecot - In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with...↗2019

▶

💬Community

Bugzilla

CVE-2019-19722 dovecot: null pointer dereference in push notification driver [fedora-all]↗2019-12-13

▶

Bugzilla

CVE-2019-19722 dovecot: null pointer dereference in push notification driver↗2019-12-12

▶