Julian Brook

**Name of the Vulnerable Software and Affected Versions** Dovecot versions 2.2 through 2.3.19 **Description** An issue in the auth component of Dovecot can lead to an unintended security configuration, permitting privilege escalation in certain configurations. This occurs when two passdb configuration entries exist with the same driver and args settings, causing incorrect `username filter` and mechanism settings to be applied to passdb definitions. The documentation does not advise against using passdb definitions with the same driver and args settings, which can lead to configurations where an administrator uses the same PAM configuration or passwd file for both normal and master users but attempts to restrict which users can be master users using the `username filter` setting. **Recommendations** For Dovecot versions 2.2 through 2.3.19, update to version 2.3.20 or later to resolve the issue. As a temporary workaround, consider reviewing and modifying passdb configuration entries to ensure that no two entries have the same driver and args settings, and adjust the `username filter` and mechanism settings accordingly to prevent unintended security configurations.