CVE-2017-2669

Name of the Vulnerable Software and Affected Versions Dovecot versions prior to 2.2.29

Description The issue allows for a denial of service when 'dict' passdb and userdb are used for user authentication. By sending specially crafted %variable fields, an attacker can cause excessive memory usage, leading to a process crash and restart, or excessive CPU usage, causing all authentications to hang.

Recommendations For versions prior to 2.2.29, update to version 2.2.29 or later to resolve the issue. As a temporary workaround, consider restricting the use of 'dict' passdb and userdb for user authentication until a patch is available. Avoid using variable expansion in the username sent by the IMAP/POP3 client to minimize the risk of exploitation.