CVE-2023-34108

Name of the Vulnerable Software and Affected Versions mailcow versions prior to 2023-05a

Description A vulnerability has been discovered in mailcow that allows an attacker to manipulate internal Dovecot variables by using specially crafted passwords during the authentication process. The issue arises from the behavior of the passwd-verify.lua script, which is responsible for verifying user passwords during login attempts. By crafting a password with additional key-value pairs appended to it, an attacker can manipulate the returned string and influence the internal behavior of Dovecot. For example, using the password "123 mail crypt save version=0" would cause the passwd-verify.lua script to return the string "password=123 mail crypt save version=0". This vulnerability can be exploited by an authenticated attacker who has the ability to set their own password. Successful exploitation could result in unauthorized access to user accounts, bypassing security controls, or other malicious activities.

Recommendations For versions prior to 2023-05a, upgrade to version 2023-05a to resolve the issue. As a temporary workaround, consider restricting the ability for users to set their own passwords until the upgrade is applied. Additionally, monitor user account activity for any signs of unauthorized access or malicious behavior.