7.4
CVE-2026-27856
- EPSS 0.39%
- Veröffentlicht 27.03.2026 08:10:19
- Zuletzt bearbeitet 30.06.2026 03:17:58
- Quelle security@open-xchange.com
- CVE-Watchlists
- Unerledigt
Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected component. Limit access to the doveadm http service port, install fixed version. No publicly available exploits are known.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Open-xchange ≫ Dovecot SwEditionpro Version < 2.3.22.1
Open-xchange ≫ Dovecot SwEditionpro Version >= 3.0.0 < 3.0.5
Open-xchange ≫ Dovecot SwEditionpro Version >= 3.1.0 < 3.1.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.39% | 0.31 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.9 | 2.2 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| security@open-xchange.com | 7.4 | 2.2 | 5.2 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.4 | 2.2 | 5.2 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
|
CWE-208 Observable Timing Discrepancy
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json
https://access.redhat.com/errata/RHSA-2026:26564
https://access.redhat.com/security/cve/CVE-2026-27856
https://bugzilla.redhat.com/show_bug.cgi?id=2452171
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27856.json