Gentoo update for Dovecot

Published: 2021-07-18

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2021-29157 CVE-2021-33515
CWE-ID	CWE-22 CWE-74
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Gentoo Linux Operating systems & Components / Operating system
Vendor	Gentoo

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Path traversal

EUVDB-ID: #VU54285

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-29157

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a local user to perform directory traversal attacks.

The vulnerability exists due to validation of kid and azp fields in JWT tokens. A local user to ability to control a JWT token location can login as any MTA user and access their emails.

Mitigation

Update the affected packages.
net-mail/dovecot to version: 2.3.14.1

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3

cpe:2.3:o:gentoo:gentoo_linux:*:*:*:*:*:*:*:*

External links

https://security.gentoo.org/
https://security.gentoo.org/glsa/202107-41

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Code injection

EUVDB-ID: #VU54286

Risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-33515

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')