CVE-2022-30550
Summary
| CVE | CVE-2022-30550 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-07-17 19:15:00 UTC |
| Updated | 2024-01-12 20:47:00 UTC |
| Description | An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user. |
Risk And Classification
Problem Types: CWE-287
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Dovecot: Privilege Escalation (GLSA 202310-19) — Gentoo security | GENTOO | security.gentoo.org | |
| [SECURITY] [DLA 3122-1] dovecot security update | MLIST | lists.debian.org | |
| Dovecot | Download | MISC | www.dovecot.org | |
| oss-security - Re: CVE-2022-30550: Privilege escalation possible in dovecot when similar master and non-master passdbs are used | CONFIRM | www.openwall.com | |
| Dovecot | Security | MISC | dovecot.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 160222 Oracle Enterprise Linux Security Update for dovecot (ELSA-2022-7623)
- 160276 Oracle Enterprise Linux Security Update for dovecot security and enhancement update (ELSA-2022-8208)
- 181004 Debian Security Update for dovecot (CVE-2022-30550)
- 181077 Debian Security Update for dovecot (DLA 3122-1)
- 198852 Ubuntu Security Notification for Dovecot Vulnerability (USN-5509-1)
- 240824 Red Hat Update for dovecot (RHSA-2022:7623)
- 240873 Red Hat Update for dovecot (RHSA-2022:8208)
- 282999 Fedora Security Update for dovecot (FEDORA-2022-df5bfaec1a)
- 283023 Fedora Security Update for dovecot (FEDORA-2022-06dfb760b2)
- 356749 Amazon Linux Security Advisory for dovecot : ALAS2-2023-2365
- 502722 Alpine Linux Security Update for dovecot
- 505616 Alpine Linux Security Update for dovecot
- 672194 EulerOS Security Update for dovecot (EulerOS-SA-2022-2456)
- 710779 Gentoo Linux Dovecot Privilege Escalation Vulnerability (GLSA 202310-19)
- 752365 SUSE Enterprise Linux Security Update for dovecot23 (SUSE-SU-2022:2432-1)
- 752366 SUSE Enterprise Linux Security Update for dovecot23 (SUSE-SU-2022:2431-1)
- 752369 SUSE Enterprise Linux Security Update for dovecot23 (SUSE-SU-2022:2448-1)
- 752415 SUSE Enterprise Linux Security Update for dovecot22 (SUSE-SU-2022:2618-1)
- 902550 Common Base Linux Mariner (CBL-Mariner) Security Update for dovecot (10311)
- 907350 Common Base Linux Mariner (CBL-Mariner) Security Update for dovecot (10311-1)
- 940748 AlmaLinux Security Update for dovecot (ALSA-2022:7623)
- 940809 AlmaLinux Security Update for dovecot (ALSA-2022:8208)
- 960187 Rocky Linux Security Update for dovecot (RLSA-2022:7623)
- 960499 Rocky Linux Security Update for dovecot (RLSA-2022:8208)