Test ID:	1.3.6.1.4.1.25623.1.0.112510
Category:	Privilege escalation
Title:	Dovecot 1.1.0 - 2.2.36 and 2.3.0 - 2.3.4 Authentication Bypass Vulnerability
Summary:	Dovecot is prone to an authentication bypass vulnerability.
Description:	Summary: Dovecot is prone to an authentication bypass vulnerability. Vulnerability Insight: If the provided trusted SSL certificate is missing the username field, Dovecot should be failing the authentication. However, the earlier versions will take the username from the user provided authentication fields (e.g. LOGIN command). Vulnerability Impact: If there is no additional password verification, this allows the attacker to login as anyone else in the system. Affected Software/OS: Dovecot versions 1.1.0 through 2.2.36 and 2.3.0 through 2.3.4. Solution: Update to version 2.2.36.1 or 2.3.4.1 respectively. CVSS Score: 4.9 CVSS Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2019-3814 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/ https://security.gentoo.org/glsa/201904-19 https://www.dovecot.org/list/dovecot/2019-February/114575.html RedHat Security Advisories: RHSA-2019:3467 https://access.redhat.com/errata/RHSA-2019:3467 SuSE Security Announcement: openSUSE-SU-2019:1220 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html
Copyright	Copyright (C) 2019 Greenbone Networks GmbH

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.