Open-Xchange Security Advisory 2021-06-21

Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-4476 (Bug ID) Vulnerability type: CWE-24: Path Traversal: '../filedir' Vulnerable version: 2.3.11-2.3.14 Vulnerable component: imap, pop3, submission, managesieve Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.14.1 Vendor notification: 2021-03-22 Solution date: 2021-04-14 Public disclosure: 2021-06-21 CVE reference: CVE-2021-29157 CVSS: 6.7 (CVSS3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) Researcher credit: Kirin of Tencent Security Xuanwu Lab

Vulnerability Details:

Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens in some configurations. This requires attacker to be able to write files to local disk.

Risk:

Local attacker can login as any user and access their emails.

Workaround:

Disable local JWT validation in oauth2, or use a different dict driver than fs:posix.

Solution:

Operators should update to 2.3.14.1 or later version.