CVE-2019-11500

CRITICAL IN THE WILD

Dovecot < 2.2.36.4 and 2.3.x < 2.3.7.2 - Out-of-bounds Write via Quoted String Processing

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-11500 has been observed exploited in the wild (reported by InTheWild.io).

Description

In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.

References (13)

Core 13
Core References
Vendor Advisory x_refsource_misc
https://www.dovecot.org/security.html
Exploit, Mailing List, Third Party Advisory x_refsource_confirm
http://www.openwall.com/lists/oss-security/2019/08/28/3
Patch, Vendor Advisory x_refsource_confirm
https://dovecot.org/pipermail/dovecot-news/2019-August/000417.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/08/msg00035.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201908-29
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2822
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2836
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2885

Scores

CVSS v3 9.8
EPSS 0.6258
EPSS Percentile 99.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

InTheWild.io 2021-12-04
CWE
CWE-787
Status published
Products (4)
debian/debian_linux 8.0
dovecot/dovecot < 2.2.36.4
dovecot/pigeonhole < 0.5.7.2
fedoraproject/fedora 30
Published Aug 29, 2019
Tracked Since Feb 18, 2026