Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding
An attacker can use a specially crafted base64 exchange to fake SCRAM TLS channel binding, allowing them to eavesdrop on communications between Dovecot and the client. This requires the attacker to be positioned between Dovecot and the client connection. The issue can be fixed by installing the latest version of Dovecot.
Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client as MITM proxy. Install fixed version. No publicly available exploits are known.
Dovecot users with affected versions are at medium risk of eavesdropping attacks, which could lead to unauthorized access to sensitive data.
Monitor & Review
Low severity — keep this CVE on your radar and patch during routine maintenance.
What should I do?
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
0
Affected Products
1
References
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Exploitability
Impact