CVE-2020-28200 — Allocation of Resources Without Limits or Throttling in Dovecot

CWE-770 — Allocation of Resources Without Limits or Throttling CWE-697 — Incorrect Comparison CWE-400 — Uncontrolled Resource Consumption6 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

1.2%

top 20.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Debian Dovecot Fedoraproject Fedora +1 more

Timeline

PublishedJun 28

Latest updateMay 24

Description

The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶debiandebian/dovecot< dovecot 1:2.3.16+dfsg1-1 (bookworm)

▶NVDdovecot/dovecot< 2.3.15

▶Debiandovecot/dovecot< 1:2.3.16+dfsg1-1+2

▶msrcmsrc/cbl2_dovecot_2.3.20-1_on_cbl_mariner_2.0

Also affects: Fedora 33, 34

🔴Vulnerability Details

GHSA

GHSA-f6jc-wwhw-gpq7: The Sieve engine in Dovecot before 2↗2022-05-24

▶

OSV

CVE-2020-28200: The Sieve engine in Dovecot before 2↗2021-06-28

▶

📋Vendor Advisories

Red Hat

dovecot: insufficient protection against excessive resource usage allows for a DoS↗2021-06-21

▶

Microsoft

The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption as demonstrated by a situation with a complex regular expression for the regex extension.↗2021-06-08

▶

Debian

CVE-2020-28200: dovecot - The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumpti...↗2020

▶