CVE-2022-30550

An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 46%
VendorProductVersion
dovecotdovecot
2.3 ≤
𝑥
< 2.4.0
dovecotdovecot
2.2
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dovecot
bullseye
1:2.3.13+dfsg1-2+deb11u1
fixed
bullseye (security)
1:2.3.13+dfsg1-2+deb11u2
fixed
bookworm
1:2.3.19.1+dfsg1-2.1+deb12u1
fixed
bookworm (security)
1:2.3.19.1+dfsg1-2.1+deb12u1
fixed
sid
1:2.3.21.1+dfsg1-1
fixed
trixie
1:2.3.21.1+dfsg1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dovecot
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
Fixed 1:2.3.16+dfsg1-3ubuntu4
released
jammy
Fixed 1:2.3.16+dfsg1-3ubuntu2.1
released
impish
Fixed 1:2.3.13+dfsg1-1ubuntu3.1
released
focal
Fixed 1:2.3.7.2-1ubuntu3.6
released
bionic
Fixed 1:2.2.33.2-1ubuntu4.8
released
xenial
needs-triage
trusty
needs-triage
Common Weakness Enumeration
References
https://dovecot.org/security
https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html
https://security.gentoo.org/glsa/202310-19
https://www.dovecot.org/download/
https://www.openwall.com/lists/oss-security/2022/07/08/1
https://dovecot.org/security
https://lists.debian.org/debian-lts-announce/2022/09/msg00032.html
https://security.gentoo.org/glsa/202310-19
https://www.dovecot.org/download/
https://www.openwall.com/lists/oss-security/2022/07/08/1