Описание
Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.
A flaw was found in Dovecot. An attacker can exploit this by using specially crafted OOXML (Office Open XML) documents that are unsafely handled by a provided script designed for attachment to text conversion. This can lead to unintended files on the system being indexed and subsequently exposed in Full Text Search (FTS) indexes, resulting in information disclosure.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | dovecot | Not affected | ||
| Red Hat Enterprise Linux 6 | dovecot | Out of support scope | ||
| Red Hat Enterprise Linux 7 | dovecot | Fix deferred | ||
| Red Hat Enterprise Linux 8 | dovecot | Not affected | ||
| Red Hat Enterprise Linux 9 | dovecot | Not affected |
Показывать по
Дополнительная информация
Статус:
4.3 Medium
CVSS3
Связанные уязвимости
Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.
Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.
Dovecot has provided a script to use for attachment to text conversion ...
Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.
4.3 Medium
CVSS3