Vulnerability Name:

CVE-2020-28200 (CCN-204480)

Assigned:2020-11-04
Published:2021-06-28
Updated:2022-05-03
Summary:The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.
CVSS v3 Severity:4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-770
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2020-28200

Source: MISC
Type: Vendor Advisory
https://dovecot.org/security

Source: XF
Type: UNKNOWN
dovecot-cve202028200-dos(204480)

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-208340a217

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-891c1ab1ac

Source: CCN
Type: oss-sec Mailing List, Mon, 28 Jun 2021 10:02:07 +0300
CVE-2020-28200: Dovecot Pigeonhole Sieve excessive resource usage

Source: CCN
Type: Dovecot Web site
Dovecot

Source: CONFIRM
Type: Mailing List, Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/06/28/3

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-28200

Vulnerable Configuration:Configuration 1:
  • cpe:/a:dovecot:dovecot:*:*:*:*:*:*:*:* (Version < 2.3.15)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:dovecot:dovecot:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7986
    P
    		ant-1.10.12-150200.4.12.5 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:8049
    P
    		pam-devel-32bit-1.3.0-150000.6.61.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:3473
    P
    		dnsmasq-2.78-18.9.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:95103
    P
    		dovecot23-2.3.15-58.3 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:93132
    P
    		 (Important)
    2022-05-03
    oval:org.opensuse.security:def:99731
    P
    		 (Important)
    2022-04-12
    oval:org.opensuse.security:def:112172
    P
    		dovecot23-2.3.16-1.6 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:105704
    P
    		dovecot23-2.3.16-1.6 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:111042
    P
    		Security update for dovecot23 (Moderate)
    2021-09-04
    oval:org.opensuse.security:def:99139
    P
    		 (Important)
    2021-09-02
    oval:org.opensuse.security:def:70473
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:10333
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:8645
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:1626
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:92582
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:69723
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:9583
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:109423
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:100041
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:93285
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:91994
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:69075
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:8833
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:99333
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:92781
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:69922
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:9782
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:102757
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:96067
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:92189
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:69138
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:9028
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:111696
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:99532
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:92979
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:70285
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:10145
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:102202
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:98944
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:92383
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:69531
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:9391
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    oval:org.opensuse.security:def:118519
    P
    		Security update for dovecot23 (Moderate)
    2021-08-31
    BACK
    dovecot dovecot *
    fedoraproject fedora 33
    fedoraproject fedora 34
    dovecot dovecot -