Dovecot CVE-2019-7524 Stack Buffer Overflow Vulnerability
Dovecot is prone to a stack-based buffer-overflow vulnerability.
Attackers can exploit this issue to run arbitrary code within the context of the affected application. Failed exploit attempts may result in denial-of-service conditions.
Dovecot versions 2.0.14 through 2.3.5 are vulnerable.
Information
Dovecot Dovecot 2.3.4
Dovecot Dovecot 2.3.2
Dovecot Dovecot 2.3
Dovecot Dovecot 2.2.28
Dovecot Dovecot 2.2.7
Dovecot Dovecot 2.2.5
Dovecot Dovecot 2.2.4
Dovecot Dovecot 2.2.2
Dovecot Dovecot 2.2.1
Dovecot Dovecot 2.1.17
Dovecot Dovecot 2.1.16
Dovecot Dovecot 2.1.15
Dovecot Dovecot 2.0.4
Dovecot Dovecot 2.0.3
Dovecot Dovecot 2.0.2
Dovecot Dovecot 2.2.9
Dovecot Dovecot 2.2.8
Dovecot Dovecot 2.2.6
Dovecot Dovecot 2.2.3
Dovecot Dovecot 2.2.29
Dovecot Dovecot 2.2.26.1
Dovecot Dovecot 2.2.26.0
Dovecot Dovecot 2.2.25.1
Dovecot Dovecot 2.2.16
Dovecot Dovecot 2.2.13 -
Dovecot Dovecot 2.2.10
Dovecot Dovecot 2.2.0
Dovecot Dovecot 2.2
Dovecot Dovecot 2.1.8
Dovecot Dovecot 2.1.7
Dovecot Dovecot 2.1.6
Dovecot Dovecot 2.1.5
Dovecot Dovecot 2.1.4
Dovecot Dovecot 2.1.3
Dovecot Dovecot 2.1.2
Dovecot Dovecot 2.1.14
Dovecot Dovecot 2.1.13
Dovecot Dovecot 2.1.12
Dovecot Dovecot 2.1.11
Dovecot Dovecot 2.1.10
Dovecot Dovecot 2.1.1
Dovecot Dovecot 2.1.0
Dovecot Dovecot 2.0.9
Dovecot Dovecot 2.0.8
Dovecot Dovecot 2.0.7
Dovecot Dovecot 2.0.6
Dovecot Dovecot 2.0.5
Dovecot Dovecot 2.0.16
Dovecot Dovecot 2.0.15
Dovecot Dovecot 2.0.14
Dovecot Dovecot 2.2.36.3
Exploit
The researcher who discovered this issue has created a proof-of-concept. Please see the references for more information.
(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = "http://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.8&appId=409115965821184";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
Gloss