[Dovecot-news] CVE-2021-29157: oauth2 JWT local validation path traversal

Timo Sirainen timo at sirainen.com
Mon Jun 21 14:51:25 EEST 2021

Open-Xchange Security Advisory 2021-06-21

Product: Dovecot
Vendor: OX Software GmbH
Internal reference: DOV-4476 (Bug ID)
Vulnerability type: CWE-24: Path Traversal: '../filedir'
Vulnerable version: 2.3.11-2.3.14
Vulnerable component: imap, pop3, submission, managesieve
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version:
Vendor notification: 2021-03-22
Solution date: 2021-04-14
Public disclosure: 2021-06-21
CVE reference: CVE-2021-29157
Researcher credit: Kirin of Tencent Security Xuanwu Lab

Vulnerability Details:

Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens in some configurations. This requires attacker to be able to write files to local disk.


Local attacker can login as any user and access their emails.


Disable local JWT validation in oauth2, or use a different dict driver than fs:posix.


Operators should update to or later version.

More information about the Dovecot-news mailing list