CVE-2019-7524

CVSS v3.1

8.8

High

Vector

AC:L/AV:L/A:H/C:H/I:H/PR:L/S:C/UI:N

Name of the Vulnerable Software and Affected Versions Dovecot versions prior to 2.2.36.3 Dovecot versions 2.3.x prior to 2.3.5.1

Description The issue is related to a lack of buffer size checks when reading FTS or POP3-UIDL headers from a Dovecot pointer. This can be exploited by a local attacker to cause a buffer overflow in the indexer-worker process, potentially allowing privilege escalation to root. The vulnerability is due to missing checks in the fts and pop3-uidl components.

Recommendations For Dovecot versions prior to 2.2.36.3, update to version 2.2.36.3 or later. For Dovecot versions 2.3.x prior to 2.3.5.1, update to version 2.3.5.1 or later. As a temporary workaround, consider disabling the indexer-worker process until a patch is available. Restrict access to the fts and pop3-uidl components to minimize the risk of exploitation.

Fix

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-119

Related Identifiers

ALT-PU-2019-2531

ALT-PU-2019-2533

BDU:2019-01562

CESA-2020_1062

CVE-2019-7524

DLA-1736-1

DSA-4418-1

MGASA-2019-0141

OPENSUSE-SU-2019:1212-1

OPENSUSE-SU-2019_1212-1

OPENSUSE-SU-2019_1220-1

OPENSUSE-SU-2024:10726-1

OPENSUSE-SU-2025:14715-1

RHSA-2020:1062

RHSA-2020_1062

SUSE-SU-2019:0876-1

SUSE-SU-2019:0900-1

SUSE-SU-2019_0876-1

USN-3928-1

Affected Products

Alt Linux

Centos

Dovecot

Red Hat

Suse

Ubuntu

CVE-2019-7524

Weakness Enumeration

Related Identifiers

Affected Products

References · 102