Dovecot before version 2.3.14.1 does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens in some configurations. The attack requires an attacker to be able to write files to the local disk. As a result, a local attacker can login as any user and access their emails.
Dovecot before version 2.3.14.1 does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens in some configurations. The attack requires an attacker to be able to write files to the local disk. As a result, a local attacker can login as any user and access their emails.
https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html https://github.com/dovecot/core/commit/7f06f6274437ea97142df1f64f322b3ced44d0b3 https://github.com/dovecot/core/commit/7a77e070ddb6a67fe7a40118ba3e3f9b6062a7d1 https://github.com/dovecot/core/commit/bae4e44596d6548322665d242b055f44fe1dc58d
Workaround ========== Disable local JWT validation in oauth4, or use a different dict driver than fs:posix.