CVE-2017-2669

Priority
Description
Dovecot before version 2.2.29 is vulnerable to a denial of service. When
'dict' passdb and userdb were used for user authentication, the username
sent by the IMAP/POP3 client was sent through var_expand() to perform
%variable expansion. Sending specially crafted %variable fields could
result in excessive memory usage causing the process to crash (and
restart), or excessive CPU usage causing all authentications to hang.
Notes
 tyhicks> Vulnerable versions: 2.2.26 - 2.2.28
Assigned-to
mdeslaur
More Information

Updated: 2018-10-31 21:26:35 UTC (commit cfa7cf69d76449ccff972ac22f40976a08d908c2)