CVE-2020-10967

MEDIUM

Dovecot < 2.3.10.1 - Unauthenticated Denial of Service via Empty Localpart in Mail

Title source: llm
STIX 2.1

Description

In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart.

References (13)

Core 13
Core References
Vendor Advisory x_refsource_misc
https://dovecot.org/security
Mailing List, Third Party Advisory x_refsource_confirm
https://www.openwall.com/lists/oss-security/2020/05/18/1
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2020/05/18/1
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4361-1/
Exploit, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/May/37
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4690

Scores

CVSS v3 5.3
EPSS 0.0815
EPSS Percentile 94.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

CWE
CWE-20
Status published
Products (1)
dovecot/dovecot < 2.3.10.1
Published May 18, 2020
Tracked Since Feb 18, 2026