Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2025-59031

Опубликовано: 27 мар. 2026
Источник: debian

Описание

Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
dovecotfixed1:2.4.3+dfsg1-1package

Примечания

  • https://dovecot.org/mailman3/archives/list/dovecot-news@dovecot.org/thread/IKIHZX77IPTGSP5WBIPJUOFBUQFKVPE7/

  • https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html#cve-2025-59031-decode2text-sh-ooxml-extraction-may-follow-symlinks-and-read-unintended-files-during-indexing

  • decode2text.sh only installed in dovecot-core/examples

  • https://github.com/dovecot/core/commit/36a95e7fa6b913db6c03a15862628b06be66eb3e (2.4.3)

Связанные уязвимости

ubuntu логотип

CVE-2025-59031

CVSS3: 4.3
ubuntu
11 дней назад

Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.

redhat логотип

CVE-2025-59031

CVSS3: 4.3
redhat
11 дней назад

Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.

nvd логотип

CVE-2025-59031

CVSS3: 4.3
nvd
11 дней назад

Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.

github логотип

GHSA-7r6x-855q-h59r

CVSS3: 4.3
github
11 дней назад

Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.