Vulnerability Details : CVE-2020-24386
An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).
Products affected by CVE-2020-24386
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-24386
0.38%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-24386
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.9
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:N |
6.8
|
4.9
|
NIST | |
6.8
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
1.6
|
5.2
|
NIST |
References for CVE-2020-24386
-
https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html
[Dovecot-news] CVE-2020-24386: IMAP hibernation allows accessing other peoples mailMailing List;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/
[SECURITY] Fedora 32 Update: dovecot-2.3.13-2.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://seclists.org/fulldisclosure/2021/Jan/18
Full Disclosure: CVE-2020-24386: IMAP hibernation allows accessing other peoples mailMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202101-01
Dovecot: Multiple vulnerabilities (GLSA 202101-01) — Gentoo securityThird Party Advisory
-
https://dovecot.org/security
SecurityVendor Advisory
-
http://packetstormsecurity.com/files/160842/Dovecot-2.3.11.3-Access-Bypass.html
Dovecot 2.3.11.3 Access Bypass ≈ Packet StormMailing List;Third Party Advisory;VDB Entry
-
http://www.openwall.com/lists/oss-security/2021/01/04/4
oss-security - CVE-2020-24386: Dovecot: IMAP hibernation allows accessing other peoples mailMailing List;Third Party Advisory
-
https://doc.dovecot.org/configuration_manual/hibernation/
Hibernation — Dovecot documentationVendor Advisory
-
https://www.debian.org/security/2021/dsa-4825
Debian -- Security Information -- DSA-4825-1 dovecotThird Party Advisory
Jump to