FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

dovecot -- multiple vulnerabilities

Affected packages
2.3.11 <= dovecot <


VuXML ID d18f431d-d360-11eb-a32c-00a0989e4ec1
Discovery 2021-03-22
Entry 2021-06-22

Dovecot team reports:

CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens in some configurations. This requires attacker to be able to write files to local disk.

CVE-2021-33515: On-path attacker could inject plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected.


CVE Name CVE-2021-29157
CVE Name CVE-2021-33515