Описание
It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.
It was discovered that Dovecot incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.
Меры по смягчению последствий
Attack can be migitated by having the certificates with proper Extended Key Usage, such as 'TLS Web Server' and 'TLS Web Server Client'. Also client-side certification authentication can be turned off using: auth_ssl_require_client_cert = no auth_ssl_username_from_cert = no
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | dovecot | Will not fix | ||
| Red Hat Enterprise Linux 6 | dovecot | Will not fix | ||
| Red Hat Enterprise Linux 7 | dovecot | Fixed | RHSA-2020:1062 | 31.03.2020 |
| Red Hat Enterprise Linux 8 | dovecot | Fixed | RHSA-2019:3467 | 05.11.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.7 High
CVSS3
Связанные уязвимости
It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.
It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.
It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 in ...
EPSS
7.7 High
CVSS3