Your submission was sent successfully! Close

CVE-2021-29157

Published: 21 June 2021

Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.

Priority

Medium

CVSS 3 base score: 5.5

Status

Package Release Status
dovecot
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
groovy
Released (1:2.3.11.3+dfsg1-2ubuntu0.2)
hirsute
Released (1:2.3.13+dfsg1-1ubuntu1.1)
impish
Released (2.3.13+dfsg1-1ubuntu2)
jammy
Released (2.3.13+dfsg1-1ubuntu2)
trusty Not vulnerable
(code not present)
upstream
Released (2.3.14.1)
xenial Not vulnerable
(code not present)