CVE-2020-10967 — Improper Input Validation in Dovecot

CWE-20 — Improper Input Validation CWE-400 — Uncontrolled Resource Consumption9 documents7 sources

Severity

5.3MEDIUMNVD

OSV7.5

EPSS

3.4%

top 12.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Debian Dovecot

Timeline

PublishedMay 18

Latest updateMay 24

Description

In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶debiandebian/dovecot< dovecot 1:2.3.10.1+dfsg1-1 (bookworm)

▶NVDdovecot/dovecot< 2.3.10.1

▶Debiandovecot/dovecot< 1:2.3.10.1+dfsg1-1+3

▶Ubuntudovecot/dovecot< 1:2.3.7.2-1ubuntu3.1

🔴Vulnerability Details

GHSA

GHSA-qm25-rqq9-7jcr: In Dovecot before 2↗2022-05-24

▶

OSV

dovecot vulnerabilities↗2020-05-18

▶

OSV

CVE-2020-10967: In Dovecot before 2↗2020-05-18

▶

📋Vendor Advisories

Red Hat

dovecot: sending mail with empty quoted localpart leads to DoS↗2020-05-18

▶

Ubuntu

Dovecot vulnerabilities↗2020-05-18

▶

Debian

CVE-2020-10967: dovecot - In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp ...↗2020

▶

💬Community

Bugzilla

CVE-2020-10967 dovecot: sending mail with empty quoted localpart leads to DoS [fedora-all]↗2020-05-18

▶

Bugzilla

CVE-2020-10967 dovecot: sending mail with empty quoted localpart leads to DoS↗2020-05-11

▶