| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1001164706.6293.1761726167034@appsuite-dev.open-xchange.com>
Date: Wed, 29 Oct 2025 10:22:47 +0200 (EET)
From: Aki Tuomi via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Dovecot CVE-2025-30189: Auth cache causes access to wrong
account
Affected product: Dovecot IMAP Server
Internal reference: DOV-7830
Vulnerability type: CWE-1250 (Improper Preservation of Consistency Between Independent Representations of Shared State)
Vulnerable version: 2.4.0, 2.4.1
Vulnerable component: auth
Report confidence: Confirmed
Solution status: Fixed in 2.4.2
Researcher credits: Erik <erik@...adlux.com>
Vendor notification: 2025-07-25
CVE reference: CVE-2025-30189
CVSS: 7.4 (CVSS3.1:AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Vulnerability Details:
Using auth caching with oauth2 passdb, passwd passdb or userdb, or passwd userdb, causes the first lookup to be cached for all the lookups. This is because the cache key is "%u" which no longer actually expands to same as "%{user}".
Workaround:
Disabling auth cache will prevent the issue. This can be done with auth_cache_size=0.
Fix
Install non-vulnerable version of Dovecot. Patch can be found at https://github.com/dovecot/core/compare/a70ce7d3e2f983979e971414c5892c4e30197231%5E...34caed79b76a7b82a2a9c94cf35371bec6c2b826.patch
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists