Vulnerability Details : CVE-2019-11500
In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.
Vulnerability category: Memory CorruptionExecute code
Products affected by CVE-2019-11500
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:pigeonhole:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-11500
48.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-11500
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-11500
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-11500
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3GYTZLLDNIFWT7D7JSB25ERJNMOR4CQ3/
[SECURITY] Fedora 30 Update: dovecot-2.3.7.2-1.fc30 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2822
RHSA-2019:2822 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2019:2836
RHSA-2019:2836 - Security Advisory - Red Hat Customer Portal
-
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html
[security-announce] openSUSE-SU-2019:2278-1: important: Security update
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KVHY3MU2OK2EWZJFGNDSAOMD42L7DFPX/
[SECURITY] Fedora 29 Update: dovecot-2.3.7.2-1.fc29 - package-announce - Fedora Mailing-Lists
-
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html
[security-announce] openSUSE-SU-2019:2281-1: important: Security update
-
https://access.redhat.com/errata/RHSA-2019:2885
RHSA-2019:2885 - Security Advisory - Red Hat Customer Portal
-
https://dovecot.org/pipermail/dovecot-news/2019-August/000417.html
[Dovecot-news] Pigeonhole release v0.5.7.2Patch;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YSJVVVRAE3SITC2ZLGCPMFDN3WVYZBWF/
[SECURITY] Fedora 31 Update: dovecot-2.3.7.2-1.fc31 - package-announce - Fedora Mailing-Lists
-
http://www.openwall.com/lists/oss-security/2019/08/28/3
oss-security - Critical Dovecot and Pigeonhole vulnerabilityExploit;Mailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/08/msg00035.html
[SECURITY] [DLA 1901-1] dovecot security updateMailing List;Third Party Advisory
-
https://www.dovecot.org/security.html
SecurityVendor Advisory
-
https://security.gentoo.org/glsa/201908-29
Dovecot: Multiple vulnerabilities (GLSA 201908-29) — Gentoo securityThird Party Advisory
Jump to