CVE-2019-3814Improper Certificate Validation in Dovecot

CWE-295Improper Certificate Validation9 documents7 sources
Severity
6.8MEDIUMNVD
EPSS
1.6%
top 18.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
DovecotDebian DovecotCanonical Ubuntu Linux+1 more
Timeline
PublishedMar 27
Latest updateMay 24

Description

It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.2

Affected Packages5 packages

debiandebian/dovecot< dovecot 1:2.3.4.1-1 (bookworm)
NVDdovecot/dovecot1.1.02.2.36.1+1
Debiandovecot/dovecot< 1:2.3.4.1-1+3
CVEListV5dovecot/dovecot2.2.36.1, 2.3.4.1+1
NVDopensuse/leap42.3

Also affects: Ubuntu Linux 12.04, 14.04, 16.04, 18.04, 18.10

🔴Vulnerability Details

2
GHSA
GHSA-2727-qgh5-485g: It was discovered that Dovecot before versions 22022-05-24
OSV
CVE-2019-3814: It was discovered that Dovecot before versions 22019-03-27

📋Vendor Advisories

4
Ubuntu
Dovecot vulnerability2019-02-05
Ubuntu
Dovecot vulnerability2019-02-05
Red Hat
dovecot: Improper certificate validation2019-02-05
Debian
CVE-2019-3814: dovecot - It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly ...2019

💬Community

2
Bugzilla
CVE-2019-3814 dovecot: Improper certificate validation [fedora-all]2019-02-07
Bugzilla
CVE-2019-3814 dovecot: Improper certificate validation2019-02-07