Improper Certificate Validation Affecting dovecot package, versions [1.1.0,2.2.36.1)[2.3.0,2.3.4.1)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.31% (70th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-DOVECOT-2381743
  • published26 Jan 2022
  • disclosed27 Mar 2019
  • creditUnknown

Introduced: 27 Mar 2019

CVE-2019-3814  (opens in a new tab)
CWE-295  (opens in a new tab)

How to fix?

Upgrade dovecot to version 2.2.36.1, 2.3.4.1 or higher.

Overview

Affected versions of this package are vulnerable to Improper Certificate Validation. It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.

References

CVSS Scores

version 3.1