Open-Xchange Security Advisory 2021-06-21
Vendor: OX Software GmbH
Internal reference: DOV-4476 (Bug ID)
Vulnerability type: CWE-24: Path Traversal: '../filedir'
Vulnerable version: 2.3.11-2.3.14
Vulnerable component: imap, pop3, submission, managesieve
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 188.8.131.52
Vendor notification: 2021-03-22
Solution date: 2021-04-14
Public disclosure: 2021-06-21
CVE reference: CVE-2021-29157
CVSS: 6.7 (CVSS3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Researcher credit: Kirin of Tencent Security Xuanwu Lab
Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens in some configurations. This requires attacker to be able to write files to local disk.
Local attacker can login as any user and access their emails.
Disable local JWT validation in oauth2, or use a different dict driver than fs:posix.
Operators should update to 184.108.40.206 or later version.