Описание
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).
Меры по смягчению последствий
To mitigate this flaw, ensure that imap_hibernate_timeout is set to 0 or not set at all/commented out in both /etc/dovecot/dovecot.conf or /etc/dovecot/conf.d/20-imap.conf.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | dovecot | Out of support scope | ||
| Red Hat Enterprise Linux 6 | dovecot | Out of support scope | ||
| Red Hat Enterprise Linux 7 | dovecot | Out of support scope | ||
| Red Hat Enterprise Linux 9 | dovecot | Affected | ||
| Red Hat Enterprise Linux 8 | dovecot | Fixed | RHSA-2021:1887 | 18.05.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.8 Medium
CVSS3
Связанные уязвимости
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, ...
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).
EPSS
6.8 Medium
CVSS3