Home

CVE-2019-11500

Description

In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because characters are mishandled, and can lead to out-of-bounds writes and remote code execution.

Risk Information

Base Score
9.8
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
41.525

Associated Vulnerability

VulnerabilityOS Platform
Linux kernel (0054-1) dovecot-core_2.3.4.1-1ubuntu2.4_i386.debLinux
Linux kernel (0054-1) dovecot-core_2.3.4.1-1ubuntu2.4_amd64.debLinux
Linux kernel (0054-1) dovecot-core_2.2.33.2-1ubuntu4.5_i386.debLinux
Linux kernel (0054-1) dovecot-core_2.2.33.2-1ubuntu4.5_amd64.debLinux
(RHSA-2019:2836) dovecot security update dovecot-2.2.36-3.el7_7.1.i686.rpmLinux
(RHSA-2019:2836) dovecot security update dovecot-2.2.36-3.el7_7.1.x86_64.rpmLinux
(RHSA-2019:2836) dovecot security update dovecot-devel-2.2.36-3.el7_7.1.x86_64.rpmLinux
(RHSA-2019:2836) dovecot security update dovecot-mysql-2.2.36-3.el7_7.1.x86_64.rpmLinux
(RHSA-2019:2836) dovecot security update dovecot-pgsql-2.2.36-3.el7_7.1.x86_64.rpmLinux
(RHSA-2019:2836) dovecot security update dovecot-pigeonhole-2.2.36-3.el7_7.1.x86_64.rpmLinux
(RHSA-2019:2885) dovecot security update dovecot-2.0.9-22.el6_10.1.i686.rpmLinux
(RHSA-2019:2885) dovecot security update dovecot-2.0.9-22.el6_10.1.x86_64.rpmLinux
(RHSA-2019:2885) dovecot security update dovecot-devel-2.0.9-22.el6_10.1.i686.rpmLinux
(RHSA-2019:2885) dovecot security update dovecot-devel-2.0.9-22.el6_10.1.x86_64.rpmLinux
(RHSA-2019:2885) dovecot security update dovecot-mysql-2.0.9-22.el6_10.1.i686.rpmLinux
(RHSA-2019:2885) dovecot security update dovecot-mysql-2.0.9-22.el6_10.1.x86_64.rpmLinux
(RHSA-2019:2885) dovecot security update dovecot-pgsql-2.0.9-22.el6_10.1.i686.rpmLinux
(RHSA-2019:2885) dovecot security update dovecot-pgsql-2.0.9-22.el6_10.1.x86_64.rpmLinux
(RHSA-2019:2885) dovecot security update dovecot-pigeonhole-2.0.9-22.el6_10.1.i686.rpmLinux
(RHSA-2019:2885) dovecot security update dovecot-pigeonhole-2.0.9-22.el6_10.1.x86_64.rpmLinux
Dovecot update (ELSA-2019-2885) dovecot-2.0.9-22.el6_10.1.x86_64.rpmLinux
Dovecot-devel update (ELSA-2019-2885) dovecot-devel-2.0.9-22.el6_10.1.x86_64.rpmLinux
Dovecot-mysql update (ELSA-2019-2885) dovecot-mysql-2.0.9-22.el6_10.1.x86_64.rpmLinux
Dovecot-pgsql update (ELSA-2019-2885) dovecot-pgsql-2.0.9-22.el6_10.1.x86_64.rpmLinux
Dovecot-pigeonhole update (ELSA-2019-2885) dovecot-pigeonhole-2.0.9-22.el6_10.1.x86_64.rpmLinux
Dovecot update (ELSA-2019-2885) dovecot-2.0.9-22.el6_10.1.i686.rpmLinux
Dovecot-devel update (ELSA-2019-2885) dovecot-devel-2.0.9-22.el6_10.1.i686.rpmLinux
Dovecot-mysql update (ELSA-2019-2885) dovecot-mysql-2.0.9-22.el6_10.1.i686.rpmLinux
Dovecot-pgsql update (ELSA-2019-2885) dovecot-pgsql-2.0.9-22.el6_10.1.i686.rpmLinux
Dovecot-pigeonhole update (ELSA-2019-2885) dovecot-pigeonhole-2.0.9-22.el6_10.1.i686.rpmLinux
(CESA-2019:2836) dovecot security update dovecot-devel-2.2.36-3.el7_7.1.x86_64.rpmLinux
SUSE-SU-2019:2454-1(SUSE Linux Enterprise Server 12-SP5) dovecot22-2.2.31-19.17.1.x86_64.rpmLinux
SUSE-SU-2019:2454-1(SUSE Linux Enterprise Server 12-SP5) dovecot22-backend-mysql-2.2.31-19.17.1.x86_64.rpmLinux
SUSE-SU-2019:2454-1(SUSE Linux Enterprise Server 12-SP5) dovecot22-backend-mysql-debuginfo-2.2.31-19.17.1.x86_64.rpmLinux
SUSE-SU-2019:2454-1(SUSE Linux Enterprise Server 12-SP5) dovecot22-backend-pgsql-2.2.31-19.17.1.x86_64.rpmLinux
SUSE-SU-2019:2454-1(SUSE Linux Enterprise Server 12-SP5) dovecot22-backend-pgsql-debuginfo-2.2.31-19.17.1.x86_64.rpmLinux
SUSE-SU-2019:2454-1(SUSE Linux Enterprise Server 12-SP5) dovecot22-backend-sqlite-2.2.31-19.17.1.x86_64.rpmLinux
SUSE-SU-2019:2454-1(SUSE Linux Enterprise Server 12-SP5) dovecot22-backend-sqlite-debuginfo-2.2.31-19.17.1.x86_64.rpmLinux
SUSE-SU-2019:2454-1(SUSE Linux Enterprise Server 12-SP5) dovecot22-debuginfo-2.2.31-19.17.1.x86_64.rpmLinux
SUSE-SU-2019:2454-1(SUSE Linux Enterprise Server 12-SP5) dovecot22-debugsource-2.2.31-19.17.1.x86_64.rpmLinux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234