5.8

CVE-2011-4318

Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DovecotDovecot Version2.0.0
DovecotDovecot Version2.0.1
DovecotDovecot Version2.0.2
DovecotDovecot Version2.0.3
DovecotDovecot Version2.0.4
DovecotDovecot Version2.0.5
DovecotDovecot Version2.0.6
DovecotDovecot Version2.0.7
DovecotDovecot Version2.0.8
DovecotDovecot Version2.0.9
DovecotDovecot Version2.0.10
DovecotDovecot Version2.0.11
DovecotDovecot Version2.0.12
DovecotDovecot Version2.0.13
DovecotDovecot Version2.0.14
DovecotDovecot Version2.0.15
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.32% 0.671
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.8 8.6 4.9
AV:N/AC:M/Au:N/C:P/I:P/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://rhn.redhat.com/errata/RHSA-2013-0520.html
Vendor Advisory
http://secunia.com/advisories/52311
Vendor Advisory
http://hg.dovecot.org/dovecot-2.0/rev/5e9eaf63a6b1
http://secunia.com/advisories/46886
http://www.dovecot.org/list/dovecot-news/2011-November/000200.html
http://www.openwall.com/lists/oss-security/2011/11/18/5
http://www.openwall.com/lists/oss-security/2011/11/18/7
https://bugs.gentoo.org/show_bug.cgi?id=390887
https://bugzilla.redhat.com/show_bug.cgi?id=754980