CVE-2020-24386
Summary
| CVE | CVE-2020-24386 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-01-04 17:15:00 UTC |
| Updated | 2023-11-07 03:19:00 UTC |
| Description | An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure). |
Risk And Classification
Problem Types: NVD-CWE-Other
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Application | Dovecot | Dovecot | All | All | All | All |
| Application | Dovecot | Dovecot | All | All | All | All |
| Operating System | Fedoraproject | Fedora | 32 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 32 Update: dovecot-2.3.13-2.fc32 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Debian -- Security Information -- DSA-4825-1 dovecot | DEBIAN | www.debian.org | Third Party Advisory |
| Hibernation — Dovecot documentation | MISC | doc.dovecot.org | Vendor Advisory |
| [Dovecot-news] CVE-2020-24386: IMAP hibernation allows accessing other peoples mail | CONFIRM | dovecot.org | Mailing List, Vendor Advisory |
| Dovecot: Multiple vulnerabilities (GLSA 202101-01) — Gentoo security | GENTOO | security.gentoo.org | Third Party Advisory |
| Dovecot 2.3.11.3 Access Bypass ≈ Packet Storm | MISC | packetstormsecurity.com | Mailing List, Third Party Advisory, VDB Entry |
| oss-security - CVE-2020-24386: Dovecot: IMAP hibernation allows accessing other peoples mail | CONFIRM | www.openwall.com | Mailing List, Third Party Advisory |
| [SECURITY] Fedora 32 Update: dovecot-2.3.13-2.fc32 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Full Disclosure: CVE-2020-24386: IMAP hibernation allows accessing other peoples mail | FULLDISC | seclists.org | Mailing List, Third Party Advisory |
| Dovecot | Security | MISC | dovecot.org | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159226 Oracle Enterprise Linux Security Update for dovecot (ELSA-2021-1887)
- 174719 SUSE Enterprise Linux Security update for dovecot23 (SUSE-SU-2021:0028-1)
- 174720 SUSE Enterprise Linux Security update for dovecot23 (SUSE-SU-2021:0027-1)
- 239290 Red Hat Update for dovecot (RHSA-2021:1887)
- 377163 Alibaba Cloud Linux Security Update for dovecot (ALINUX3-SA-2022:0115)
- 500155 Alpine Linux Security Update for dovecot
- 503805 Alpine Linux Security Update for dovecot
- 690394 Free Berkeley Software Distribution (FreeBSD) Security Update for mail/dovecot (bd98066d-4ea4-11eb-b412-e86a64caca56)
- 750429 OpenSUSE Security Update for dovecot23 (openSUSE-SU-2021:0072-1)
- 750445 OpenSUSE Security Update for dovecot23 (openSUSE-SU-2021:0026-1)
- 751070 OpenSUSE Security Update for dovecot23 (openSUSE-SU-2021:2892-1)
- 751078 SUSE Enterprise Linux Security Update for dovecot23 (SUSE-SU-2021:2890-1)
- 751080 SUSE Enterprise Linux Security Update for dovecot23 (SUSE-SU-2021:2891-1)
- 751091 OpenSUSE Security Update for dovecot23 (openSUSE-SU-2021:1225-1)
- 940267 AlmaLinux Security Update for dovecot (ALSA-2021:1887)