CVE-2020-24386

NameCVE-2020-24386
DescriptionAn issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2517-1, DSA-4825-1
NVD severitymedium
Debian Bugs979363

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dovecot (PTS)stretch1:2.2.27-3+deb9u5vulnerable
stretch (security)1:2.2.27-3+deb9u7fixed
buster1:2.3.4.1-5+deb10u4vulnerable
buster (security)1:2.3.4.1-5+deb10u5fixed
bullseye, sid1:2.3.11.3+dfsg1-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dovecotsourcestretch1:2.2.27-3+deb9u7DLA-2517-1
dovecotsourcebuster1:2.3.4.1-5+deb10u5DSA-4825-1
dovecotsource(unstable)(unfixed)979363

Notes

https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html
https://github.com/dovecot/core/commit/00df2308b0733e810824545183d73276c416cdd3
https://github.com/dovecot/core/commit/b4a9872b833b7985c7d0e7615f1b7fc812dd4c55

Search for package or bug name: Reporting problems