Vulnerabilities > CVE-2020-24386
Attack vector
NETWORK Attack complexity
HIGH Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
NONE Summary
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).
Vulnerable Configurations
References
- http://packetstormsecurity.com/files/160842/Dovecot-2.3.11.3-Access-Bypass.html
- http://packetstormsecurity.com/files/160842/Dovecot-2.3.11.3-Access-Bypass.html
- http://seclists.org/fulldisclosure/2021/Jan/18
- http://seclists.org/fulldisclosure/2021/Jan/18
- http://www.openwall.com/lists/oss-security/2021/01/04/4
- http://www.openwall.com/lists/oss-security/2021/01/04/4
- https://doc.dovecot.org/configuration_manual/hibernation/
- https://doc.dovecot.org/configuration_manual/hibernation/
- https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html
- https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html
- https://dovecot.org/security
- https://dovecot.org/security
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/
- https://security.gentoo.org/glsa/202101-01
- https://security.gentoo.org/glsa/202101-01
- https://www.debian.org/security/2021/dsa-4825
- https://www.debian.org/security/2021/dsa-4825