Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2019-11500

Published: 29/08/2019 Updated: 07/11/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Dovecot

Vulnerability Summary

In Dovecot prior to 2.2.36.4 and 2.3.x prior to 2.3.7.2 (and Pigeonhole prior to 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

dovecot dovecot

dovecot pigeonhole

debian debian linux 8.0

fedoraproject fedora 30

Vendor Advisories

Debian CVElist Bug Report Logs: dovecot: CVE-2019-11500
Debian Bug report logs - #936014 dovecot: CVE-2019-11500 Package: src:dovecot; Maintainer for src:dovecot is Dovecot Maintainers <dovecot@packagesdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 29 Aug 2019 05:15:02 UTC Severity: grave Tags: security, upstream Found in versions dovecot/ ...
Red Hat: Important: dovecot security update
Synopsis Important: dovecot security update Type/Severity Security Advisory: Important Topic An update for dovecot is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, ...
Red Hat: Important: dovecot security update
Synopsis Important: dovecot security update Type/Severity Security Advisory: Important Topic An update for dovecot is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, ...
Red Hat: Important: dovecot security update
Synopsis Important: dovecot security update Type/Severity Security Advisory: Important Topic An update for dovecot is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, ...
Debian Security Advisories: DSA-4510-1 dovecot -- security update
Nick Roessler and Rafi Rubin discovered that the IMAP and ManageSieve protocol parsers in the Dovecot email server do not properly validate input (both pre- and post-login) A remote attacker can take advantage of this flaw to trigger out of bounds heap memory writes, leading to information leaks or potentially the execution of arbitrary code For ...
Ubuntu Security Notice: dovecot vulnerability
Dovecot could be made to crash or execute arbitrary code if it received a specially crafted data ...
Ubuntu Security Notice: dovecot regression
USN-4110-1 introduced a regression in Dovecot ...
Ubuntu Security Notice: dovecot vulnerability
Dovecot could be made to crash or execute arbitrary code if it received a specially crafted data ...
Ubuntu Security Notice: Dovecot regression
USN-4110-1 introduced a regression in Dovecot ...
Amazon Linux 2: ALAS2-2019-1347
In Dovecot before 22364 and 23x before 2372 (and Pigeonhole before 0572), protocol processing can fail for quoted strings This occurs because '\\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution(CVE-2019-11500) ...
Arch Linux Issues:
IMAP and ManageSieve protocol parsers in Dovecot before 2372 and Pigeonhole before 0572 do not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes ...

References

CWE-787http://www.openwall.com/lists/oss-security/2019/08/28/3https://dovecot.org/pipermail/dovecot-news/2019-August/000417.htmlhttps://www.dovecot.org/security.htmlhttps://lists.debian.org/debian-lts-announce/2019/08/msg00035.htmlhttps://security.gentoo.org/glsa/201908-29https://access.redhat.com/errata/RHSA-2019:2822https://access.redhat.com/errata/RHSA-2019:2836https://access.redhat.com/errata/RHSA-2019:2885http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GYTZLLDNIFWT7D7JSB25ERJNMOR4CQ3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KVHY3MU2OK2EWZJFGNDSAOMD42L7DFPX/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSJVVVRAE3SITC2ZLGCPMFDN3WVYZBWF/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936014https://nvd.nist.govhttps://usn.ubuntu.com/4110-1/https://www.debian.org/security/2019/dsa-4510
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-4463CVE-2024-29895injectCVE-2023-52689CVE-2024-5049CVE-2024-5051privilege escalationphysicalCVE-2023-52676
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook