cbcvebase.
CVE-2020-7046
published 2020-02-12

CVE-2020-7046: lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the…

PriorityP357high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
51.26%
98.8th percentile
lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop.

Affected

20 ranges
VendorProductVersion rangeFixed in
debiandovecot
dovecotdovecot>= 0 < 2.3.10.1-r02.3.10.1-r0
dovecotdovecot>= 0 < 2.3.9.3-r02.3.9.3-r0
dovecotdovecot>= 0 < 2.3.9.3-r02.3.9.3-r0
dovecotdovecot>= 0 < 2.3.9.3-r02.3.9.3-r0
dovecotdovecot>= 0 < 2.3.9.3-r02.3.9.3-r0
dovecotdovecot>= 0 < 2.3.9.3-r02.3.9.3-r0
dovecotdovecot>= 0 < 2.3.9.3-r02.3.9.3-r0
dovecotdovecot>= 0 < 2.3.9.3-r02.3.9.3-r0
dovecotdovecot>= 0 < 2.3.9.3-r02.3.9.3-r0
dovecotdovecot>= 0 < 2.3.9.3-r02.3.9.3-r0
dovecotdovecot>= 0 < 2.3.9.3-r02.3.9.3-r0
dovecotdovecot>= 0 < 2.3.9.3-r02.3.9.3-r0
dovecotdovecot>= 0 < 2.3.9.3-r02.3.9.3-r0
dovecotdovecot>= 0 < 2.3.9.3-r02.3.9.3-r0
dovecotdovecot>= 0 < 2.3.10.1-r02.3.10.1-r0
dovecotdovecot>= 0 < 2.3.10.1-r02.3.10.1-r0
dovecotdovecot>= 2.3.9 < 2.3.9.32.3.9.3
fedoraprojectfedora
fedoraprojectfedora

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered by sending truncated UTF-8 data in SMTP command parameters to submission-login or lmtp processes in Dovecot 2.3.9 before 2.3.9.3, causing an infinite loop at 100% CPU — monitor for submission-login or lmtp processes pegged at 100% CPU as a DoS indicator.
  • The attack can be triggered unauthenticated — no credentials are required to exploit this DoS condition against submission-login.
  • Affected component is lib-smtp within submission-login and lmtp services in Dovecot; focus process-level monitoring on these two daemons for anomalous CPU consumption.
  • ·Only Dovecot versions 2.3.9 up to (but not including) 2.3.9.3 are affected; versions outside this range (including all RHEL 5/6/7/8 shipped versions) are not affected.
  • ·Red Hat Enterprise Linux 5, 6, 7, and 8 packages are confirmed not affected — no patching action required on those platforms.
  • ·The fix is available in upstream commit ed4b7d5d1b30964216d61d3090a7b47a957f5b26; patch or upgrade to Dovecot 2.3.9.3 or later to remediate.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.