CVE-2019-3814

It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.7 HIGH
NETWORK
HIGH
HIGH
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 81%
Affected Products (NVD)
VendorProductVersion
dovecotdovecot
1.1.0 ≤
𝑥
< 2.2.36.1
dovecotdovecot
2.3.0 ≤
𝑥
< 2.3.4.1
canonicalubuntu_linux
12.04
canonicalubuntu_linux
14.04
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
18.10
opensuseleap
42.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dovecot
bookworm
1:2.3.19.1+dfsg1-2.1+deb12u1
fixed
bookworm (security)
1:2.3.19.1+dfsg1-2.1+deb12u1
fixed
bullseye
1:2.3.13+dfsg1-2+deb11u1
fixed
bullseye (security)
1:2.3.13+dfsg1-2+deb11u2
fixed
sid
1:2.3.21.1+dfsg1-1
fixed
trixie
1:2.3.21.1+dfsg1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dovecot
bionic
Fixed 1:2.2.33.2-1ubuntu4.2
released
cosmic
Fixed 1:2.3.2.1-1ubuntu3.1
released
trusty
Fixed 1:2.2.9-1ubuntu2.5
released
xenial
Fixed 1:2.2.22-1ubuntu2.9
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
dovecot22
suse enterprise sap 12 SP1
2.2.31-19.14.2
fixed
suse enterprise sap 12 SP3
2.2.31-19.14.2
fixed
suse enterprise sap 12 SP4
2.2.31-19.14.2
fixed
suse enterprise sap 12 SP5
2.2.31-19.17.1
fixed
suse enterprise server 12
2.2.31-19.14.2
fixed
suse enterprise server 12 SP1
2.2.31-19.14.2
fixed
suse enterprise server 12 SP2
2.2.31-19.14.2
fixed
suse enterprise server 12 SP3
2.2.31-19.14.2
fixed
suse enterprise server 12 SP4
2.2.31-19.14.2
fixed
suse enterprise server 12 SP5
2.2.31-19.17.1
fixed
dovecot22-backend-mysql
suse enterprise sap 12 SP1
2.2.31-19.14.2
fixed
suse enterprise sap 12 SP3
2.2.31-19.14.2
fixed
suse enterprise sap 12 SP4
2.2.31-19.14.2
fixed
suse enterprise sap 12 SP5
2.2.31-19.17.1
fixed
suse enterprise server 12
2.2.31-19.14.2
fixed
suse enterprise server 12 SP1
2.2.31-19.14.2
fixed
suse enterprise server 12 SP2
2.2.31-19.14.2
fixed
suse enterprise server 12 SP3
2.2.31-19.14.2
fixed
suse enterprise server 12 SP4
2.2.31-19.14.2
fixed
suse enterprise server 12 SP5
2.2.31-19.17.1
fixed
dovecot22-backend-pgsql
suse enterprise sap 12 SP1
2.2.31-19.14.2
fixed
suse enterprise sap 12 SP3
2.2.31-19.14.2
fixed
suse enterprise sap 12 SP4
2.2.31-19.14.2
fixed
suse enterprise sap 12 SP5
2.2.31-19.17.1
fixed
suse enterprise server 12
2.2.31-19.14.2
fixed
suse enterprise server 12 SP1
2.2.31-19.14.2
fixed
suse enterprise server 12 SP2
2.2.31-19.14.2
fixed
suse enterprise server 12 SP3
2.2.31-19.14.2
fixed
suse enterprise server 12 SP4
2.2.31-19.14.2
fixed
suse enterprise server 12 SP5
2.2.31-19.17.1
fixed
dovecot22-backend-sqlite
suse enterprise sap 12 SP1
2.2.31-19.14.2
fixed
suse enterprise sap 12 SP3
2.2.31-19.14.2
fixed
suse enterprise sap 12 SP4
2.2.31-19.14.2
fixed
suse enterprise sap 12 SP5
2.2.31-19.17.1
fixed
suse enterprise server 12
2.2.31-19.14.2
fixed
suse enterprise server 12 SP1
2.2.31-19.14.2
fixed
suse enterprise server 12 SP2
2.2.31-19.14.2
fixed
suse enterprise server 12 SP3
2.2.31-19.14.2
fixed
suse enterprise server 12 SP4
2.2.31-19.14.2
fixed
suse enterprise server 12 SP5
2.2.31-19.17.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
dovecot
RHEL 7
1:2.2.36-6.el7
fixed
RHEL 8
1:2.2.36-10.el8
fixed
dovecot-devel
RHEL 7
1:2.2.36-6.el7
fixed
RHEL 8
1:2.2.36-10.el8
fixed
dovecot-mysql
RHEL 7
1:2.2.36-6.el7
fixed
RHEL 8
1:2.2.36-10.el8
fixed
dovecot-pgsql
RHEL 7
1:2.2.36-6.el7
fixed
RHEL 8
1:2.2.36-10.el8
fixed
dovecot-pigeonhole
RHEL 7
1:2.2.36-6.el7
fixed
RHEL 8
1:2.2.36-10.el8
fixed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html
https://access.redhat.com/errata/RHSA-2019:3467
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/
https://security.gentoo.org/glsa/201904-19
https://www.dovecot.org/list/dovecot/2019-February/114575.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html
https://access.redhat.com/errata/RHSA-2019:3467
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/
https://security.gentoo.org/glsa/201904-19
https://www.dovecot.org/list/dovecot/2019-February/114575.html