CVE-2022-30550Improper Authentication in Dovecot

CWE-287Improper AuthenticationCWE-284Improper Access Control7 documents7 sources
Severity
8.8HIGHNVD
EPSS
0.3%
top 46.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
DovecotDebian DovecotDebian Linux+1 more
Timeline
PublishedJul 17
Latest updateJul 18

Description

An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

debiandebian/dovecot< dovecot 1:2.3.19.1+dfsg1-2 (bookworm)
NVDdovecot/dovecot2.32.4.0+1
Debiandovecot/dovecot< 1:2.3.13+dfsg1-2+deb11u1+3

Also affects: Debian Linux 10.0

Patches

Patch: www.openwall.comPatch: www.openwall.com

🔴Vulnerability Details

2
GHSA
GHSA-cch8-vp96-g53m: An issue was discovered in the auth component in Dovecot 22022-07-18
OSV
CVE-2022-30550: An issue was discovered in the auth component in Dovecot 22022-07-17

📋Vendor Advisories

4
Microsoft
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings incorrect username_filter and mec2022-07-12
Ubuntu
Dovecot vulnerability2022-07-11
Red Hat
dovecot: Privilege escalation when similar master and non-master passdbs are used2022-07-06
Debian
CVE-2022-30550: dovecot - An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3....2022