CVE-2019-3814

It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.7 HIGH
NETWORK
HIGH
HIGH
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
redhatCNA
7.7 HIGH
NETWORK
HIGH
HIGH
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
VendorProductVersion
dovecotdovecot
1.1.0 ≤
𝑥
< 2.2.36.1
dovecotdovecot
2.3.0 ≤
𝑥
< 2.3.4.1
canonicalubuntu_linux
12.04
canonicalubuntu_linux
14.04
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
18.10
opensuseleap
42.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dovecot
bullseye
1:2.3.13+dfsg1-2+deb11u1
fixed
bullseye (security)
1:2.3.13+dfsg1-2+deb11u2
fixed
bookworm
1:2.3.19.1+dfsg1-2.1+deb12u1
fixed
bookworm (security)
1:2.3.19.1+dfsg1-2.1+deb12u1
fixed
sid
1:2.3.21.1+dfsg1-1
fixed
trixie
1:2.3.21.1+dfsg1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dovecot
cosmic
Fixed 1:2.3.2.1-1ubuntu3.1
released
bionic
Fixed 1:2.2.33.2-1ubuntu4.2
released
xenial
Fixed 1:2.2.22-1ubuntu2.9
released
trusty
Fixed 1:2.2.9-1ubuntu2.5
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html
https://access.redhat.com/errata/RHSA-2019:3467
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/
https://security.gentoo.org/glsa/201904-19
https://www.dovecot.org/list/dovecot/2019-February/114575.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html
https://access.redhat.com/errata/RHSA-2019:3467
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/
https://security.gentoo.org/glsa/201904-19
https://www.dovecot.org/list/dovecot/2019-February/114575.html