Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for dovecot by [UNKNOWN]

    CVE-2017-2669 (GCVE-0-2017-2669)

    Vulnerability from nvd – Published: 2018-06-21 13:00 – Updated: 2024-08-05 14:02
    VLAI
    Summary
    Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    [UNKNOWN] dovecot Affected: dovecot 2.2.29
    Create a notification for this product.
    Date Public
    2017-04-10 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:02:06.877Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "[dovecot-news] 20170410 v2.2.29 released",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://dovecot.org/pipermail/dovecot-news/2017-April/000341.html"
              },
              {
                "name": "[oss-security] 20170411 CVE-2017-2669: Dovecot DoS when passdb dict was used for authentication",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2017/04/11/1"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch"
              },
              {
                "name": "DSA-3828",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2017/dsa-3828"
              },
              {
                "name": "97536",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/97536"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "dovecot",
              "vendor": "[UNKNOWN]",
              "versions": [
                {
                  "status": "affected",
                  "version": "dovecot 2.2.29"
                }
              ]
            }
          ],
          "datePublic": "2017-04-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Dovecot before version 2.2.29 is vulnerable to a denial of service. When \u0027dict\u0027 passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-06-22T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "[dovecot-news] 20170410 v2.2.29 released",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://dovecot.org/pipermail/dovecot-news/2017-April/000341.html"
            },
            {
              "name": "[oss-security] 20170411 CVE-2017-2669: Dovecot DoS when passdb dict was used for authentication",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2017/04/11/1"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch"
            },
            {
              "name": "DSA-3828",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2017/dsa-3828"
            },
            {
              "name": "97536",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/97536"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2017-2669",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "dovecot",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "dovecot 2.2.29"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "[UNKNOWN]"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Dovecot before version 2.2.29 is vulnerable to a denial of service. When \u0027dict\u0027 passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "3.7/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "[dovecot-news] 20170410 v2.2.29 released",
                  "refsource": "MLIST",
                  "url": "https://dovecot.org/pipermail/dovecot-news/2017-April/000341.html"
                },
                {
                  "name": "[oss-security] 20170411 CVE-2017-2669: Dovecot DoS when passdb dict was used for authentication",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2017/04/11/1"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669"
                },
                {
                  "name": "https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch"
                },
                {
                  "name": "DSA-3828",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2017/dsa-3828"
                },
                {
                  "name": "97536",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/97536"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2017-2669",
        "datePublished": "2018-06-21T13:00:00.000Z",
        "dateReserved": "2016-12-01T00:00:00.000Z",
        "dateUpdated": "2024-08-05T14:02:06.877Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-2669 (GCVE-0-2017-2669)

    Vulnerability from cvelistv5 – Published: 2018-06-21 13:00 – Updated: 2024-08-05 14:02
    VLAI
    Summary
    Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    [UNKNOWN] dovecot Affected: dovecot 2.2.29
    Create a notification for this product.
    Date Public
    2017-04-10 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T14:02:06.877Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "[dovecot-news] 20170410 v2.2.29 released",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://dovecot.org/pipermail/dovecot-news/2017-April/000341.html"
              },
              {
                "name": "[oss-security] 20170411 CVE-2017-2669: Dovecot DoS when passdb dict was used for authentication",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2017/04/11/1"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch"
              },
              {
                "name": "DSA-3828",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2017/dsa-3828"
              },
              {
                "name": "97536",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/97536"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "dovecot",
              "vendor": "[UNKNOWN]",
              "versions": [
                {
                  "status": "affected",
                  "version": "dovecot 2.2.29"
                }
              ]
            }
          ],
          "datePublic": "2017-04-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Dovecot before version 2.2.29 is vulnerable to a denial of service. When \u0027dict\u0027 passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-06-22T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "[dovecot-news] 20170410 v2.2.29 released",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://dovecot.org/pipermail/dovecot-news/2017-April/000341.html"
            },
            {
              "name": "[oss-security] 20170411 CVE-2017-2669: Dovecot DoS when passdb dict was used for authentication",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2017/04/11/1"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch"
            },
            {
              "name": "DSA-3828",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2017/dsa-3828"
            },
            {
              "name": "97536",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/97536"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2017-2669",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "dovecot",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "dovecot 2.2.29"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "[UNKNOWN]"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Dovecot before version 2.2.29 is vulnerable to a denial of service. When \u0027dict\u0027 passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "3.7/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "[dovecot-news] 20170410 v2.2.29 released",
                  "refsource": "MLIST",
                  "url": "https://dovecot.org/pipermail/dovecot-news/2017-April/000341.html"
                },
                {
                  "name": "[oss-security] 20170411 CVE-2017-2669: Dovecot DoS when passdb dict was used for authentication",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2017/04/11/1"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2669"
                },
                {
                  "name": "https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch"
                },
                {
                  "name": "DSA-3828",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2017/dsa-3828"
                },
                {
                  "name": "97536",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/97536"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2017-2669",
        "datePublished": "2018-06-21T13:00:00.000Z",
        "dateReserved": "2016-12-01T00:00:00.000Z",
        "dateUpdated": "2024-08-05T14:02:06.877Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }