9.8

CVE-2019-11500

Exploit
In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DovecotDovecot Version < 2.2.36.4
DovecotDovecot Version >= 2.3.0 < 2.3.7.2
DovecotPigeonhole Version < 0.5.7.2
DebianDebian Linux Version8.0
FedoraprojectFedora Version30
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 62.58% 0.991
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://security.gentoo.org/glsa/201908-29
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html
https://www.dovecot.org/security.html
Vendor Advisory
http://www.openwall.com/lists/oss-security/2019/08/28/3
Third Party Advisory
Exploit
Mailing List
https://access.redhat.com/errata/RHSA-2019:2822
https://access.redhat.com/errata/RHSA-2019:2836
https://access.redhat.com/errata/RHSA-2019:2885
https://dovecot.org/pipermail/dovecot-news/2019-August/000417.html
Patch
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00035.html
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GYTZLLDNIFWT7D7JSB25ERJNMOR4CQ3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KVHY3MU2OK2EWZJFGNDSAOMD42L7DFPX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSJVVVRAE3SITC2ZLGCPMFDN3WVYZBWF/