CVE-2017-2669

Priority
Description
Dovecot before version 2.2.29 is vulnerable to a denial of service. When
'dict' passdb and userdb were used for user authentication, the username
sent by the IMAP/POP3 client was sent through var_expand() to perform
%variable expansion. Sending specially crafted %variable fields could
result in excessive memory usage causing the process to crash (and
restart), or excessive CPU usage causing all authentications to hang.
Notes
 tyhicks> Vulnerable versions: 2.2.26 - 2.2.28
Assigned-to
mdeslaur
More Information

Updated: 2019-03-19 12:29:12 UTC (commit 15472795df7e9de45b82f2d36b8b419b939f97b2)