Vulnerabilities > Dovecot > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-03-02 | CVE-2017-15130 | A denial of service flaw was found in dovecot before 2.2.34. | 4.3 |
| 2018-03-02 | CVE-2017-14461 | Out-of-bounds Read vulnerability in multiple products A specially crafted email delivered over SMTP and passed on to Dovecot by MTA can trigger an out of bounds read resulting in potential sensitive information disclosure and denial of service. | 5.5 |
| 2018-01-25 | CVE-2017-15132 | Missing Release of Resource after Effective Lifetime vulnerability in multiple products A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. | 5.0 |
| 2017-09-19 | CVE-2015-3420 | Improper Certificate Validation vulnerability in multiple products The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service (login process crash) via vectors related to handshake failures. | 4.3 |
| 2017-02-17 | CVE-2016-8652 | Improper Input Validation vulnerability in Dovecot The auth component in Dovecot before 2.2.27, when auth-policy is configured, allows a remote attackers to cause a denial of service (crash) by aborting authentication without setting a username. | 4.3 |
| 2014-05-27 | CVE-2013-2111 | Improper Input Validation vulnerability in Dovecot The IMAP functionality in Dovecot before 2.2.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via invalid APPEND parameters. | 5.0 |
| 2014-05-14 | CVE-2014-3430 | Improper Authentication vulnerability in Dovecot Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection. | 5.0 |
| 2013-12-09 | CVE-2013-6171 | Improper Authentication vulnerability in Dovecot checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server. | 5.8 |
| 2013-03-07 | CVE-2011-4318 | Improper Input Validation vulnerability in Dovecot Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname. | 5.8 |
| 2011-05-24 | CVE-2011-2167 | Path Traversal vulnerability in Dovecot script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script. | 6.5 |