CVE-2017-2669

Summary

Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang.

Affected Software

VendorProductVersion RangeStatus
[UNKNOWN]dovecotdovecot 2.2.29affected

Weaknesses

  • CWE-20: CWE-20

ADP Enrichment

CVE Program Container

Additional References

References