On 4. Jan 2021, at 14.29, Marc Roos <m.r...@f1-outsourcing.eu> wrote: > > > This also applies when you have users seperated at os level?
Yes, that doesn't make a difference. Only whether hibernation is enabled. > -----Original Message----- > Sent: 04 January 2021 13:03 > To: dovecot-n...@dovecot.org; dovecot@dovecot.org > Subject: CVE-2020-24386: IMAP hibernation allows accessing other peoples > mail > > Open-Xchange Security Advisory 2021-01-04 > > Product: Dovecot > Vendor: OX Software GmbH > Internal reference: DOP-2009 (Bug ID) > Vulnerability type: CWE-150: Improper Neutralization of Escape, Meta, or > Control Sequences Vulnerable version: 2.2.26-2.3.11.3 Vulnerable > component: imap Report confidence: Confirmed Solution status: Fixed by > Vendor Fixed version: 2.3.13 Vendor notification: 2020-08-17 Solution > date: 2020-08-27 Public disclosure: 2021-01-04 CVE reference: > CVE-2020-24386 > CVSS: 8.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N) > > Vulnerability Details: > > When imap hibernation is active, an attacker can cause Dovecot to > discover file system directory structure and access other users' emails > using specially crafted command. The attacker must have valid > credentials to access the mail server. > > Risk: > > Attacker can access other users' emails and filesystem information. > > Workaround: > > Operators can choose to disable IMAP hibernation. IMAP hibernation is > not on by default. To ensure imap hibernation is disabled, make sure > imap_hibernate_timeout is set to 0 or unset. > > Solution: > > Operators should update to 2.3.13 or later version. > >
