CVE-2011-4318

Published: Mar 7, 2013Modified: Apr 29, 2026

5.8

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability: 8.6 / Impact: 4.9

Source: NVD

Description

Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname.

Affected (16)

Products: Dovecot: Dovecot

1 product

Configuration A

16 vulnerable

Vulnerable Software	Affected Versions
Dovecot Dovecot	Version 2.0.0
Dovecot Dovecot	Version 2.0.10
Dovecot Dovecot	Version 2.0.11
Dovecot Dovecot	Version 2.0.12
Dovecot Dovecot	Version 2.0.13
Dovecot Dovecot	Version 2.0.14
Dovecot Dovecot	Version 2.0.15
Dovecot Dovecot	Version 2.0.1
Dovecot Dovecot	Version 2.0.2
Dovecot Dovecot	Version 2.0.3
Dovecot Dovecot	Version 2.0.4
Dovecot Dovecot	Version 2.0.5
Dovecot Dovecot	Version 2.0.6
Dovecot Dovecot	Version 2.0.7
Dovecot Dovecot	Version 2.0.8
Dovecot Dovecot	Version 2.0.9

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (18)

http://hg.dovecot.org/dovecot-2.0/rev/5e9eaf63a6b1

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2013-0520.html

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/46886

Source: secalert@redhat.com

http://secunia.com/advisories/52311

Source: secalert@redhat.com

Vendor Advisory

http://www.dovecot.org/list/dovecot-news/2011-November/000200.html

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2011/11/18/5

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2011/11/18/7

Source: secalert@redhat.com

https://bugs.gentoo.org/show_bug.cgi?id=390887

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=754980

Source: secalert@redhat.com

http://hg.dovecot.org/dovecot-2.0/rev/5e9eaf63a6b1

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2013-0520.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/46886

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/52311

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.dovecot.org/list/dovecot-news/2011-November/000200.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2011/11/18/5

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2011/11/18/7

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugs.gentoo.org/show_bug.cgi?id=390887

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.redhat.com/show_bug.cgi?id=754980

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.