CVE-2020-24386

CVE-2020-24386

Name

CVE-2020-24386

Description

An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Vendor Advisory	https://dovecot.org/security
Mailing List	https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html
Mailing List	http://www.openwall.com/lists/oss-security/2021/01/04/4
Vendor Advisory	https://doc.dovecot.org/configuration_manual/hibernation/
Third Party Advisory	https://www.debian.org/security/2021/dsa-4825
Mailing List	http://seclists.org/fulldisclosure/2021/Jan/18
Mailing List	http://packetstormsecurity.com/files/160842/Dovecot-2.3.11.3-Access-Bypass.html
Third Party Advisory	https://security.gentoo.org/glsa/202101-01
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GXDKFLOCUP7I4ELGQ2F4P5TGC6NXMYV7/

Type

URI

Vendor Advisory

https://dovecot.org/security

Mailing List

https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html

Mailing List

http://www.openwall.com/lists/oss-security/2021/01/04/4

Vendor Advisory

https://doc.dovecot.org/configuration_manual/hibernation/

Third Party Advisory

https://www.debian.org/security/2021/dsa-4825