Vulnerabilities > Dovecot
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-05-18 | CVE-2020-10958 | Use After Free vulnerability in Dovecot In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command. | 5.3 |
| 2020-05-18 | CVE-2020-10957 | NULL Pointer Dereference vulnerability in Dovecot In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp. | 7.5 |
| 2020-02-12 | CVE-2020-7957 | Improper Input Validation vulnerability in multiple products The IMAP and LMTP components in Dovecot 2.3.9 before 2.3.9.3 mishandle snippet generation when many characters must be read to compute the snippet and a trailing > character exists. | 5.3 |
| 2020-02-12 | CVE-2020-7046 | Infinite Loop vulnerability in multiple products lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3.9.3 mishandles truncated UTF-8 data in command parameters, as demonstrated by the unauthenticated triggering of a submission-login infinite loop. | 7.5 |
| 2019-12-13 | CVE-2019-19722 | NULL Pointer Dereference vulnerability in multiple products In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. | 5.3 |
| 2019-11-05 | CVE-2016-4983 | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products A postinstall script in the dovecot rpm allows local users to read the contents of newly created SSL/TLS key files. | 3.3 |
| 2019-08-29 | CVE-2019-11500 | Out-of-bounds Write vulnerability in multiple products In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. | 9.8 |
| 2019-05-08 | CVE-2019-11494 | NULL Pointer Dereference vulnerability in multiple products In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command. | 7.5 |
| 2019-05-08 | CVE-2019-11499 | In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message. | 7.5 |
| 2019-04-24 | CVE-2019-10691 | The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username. | 7.5 |