CVE-2020-24386

Publication date 4 January 2021

Last updated 25 August 2025

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

6.8 · Medium

Score breakdown

Description

An issue was discovered in Dovecot before 2.3.13. By using IMAP IDLE, an authenticated attacker can trigger unhibernation via attacker-controlled parameters, leading to access to other users' email messages (and path disclosure).

Read the notes from the security team

Status

Package Ubuntu Release Status
dovecot 20.10 groovy
Fixed 1:2.3.11.3+dfsg1-2ubuntu0.1
20.04 LTS focal
Fixed 1:2.3.7.2-1ubuntu3.3
18.04 LTS bionic
Fixed 1:2.2.33.2-1ubuntu4.7
16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected

Notes

mdeslaur

per upstream, Vulnerable version: 2.2.26-2.3.11.3

Severity score breakdown

Parameter Value
Base score 6.8 · Medium
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

References

Related Ubuntu Security Notices (USN)

    • USN-4674-1
    • Dovecot vulnerabilities
    • 4 January 2021

Other references