Alpine: multiple dovecot packages: security update to 2.4.3-r0

high Tenable Cloud Security Plugin ID 439446

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin. This
vulnerability allows bypassing authentication for any user and user enumeration. Do not clear
auth_username_chars. If this is not possible, install latest fixed version. No publicly available exploits
are known. (CVE-2026-24031)

- When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all
active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to
break concurrent logins. Install fixed version or disable concurrency in login processes (heavy perfomance
penalty on large deployments). No publicly available exploits are known. (CVE-2025-59028)

- Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-
style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the
system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead,
use something else like FTS tika. No publicly available exploits are known. (CVE-2025-59031)

- Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is
enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is
valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication
happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are
secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are known.
(CVE-2026-27855)

Solution

Update the dovecot library and its related packages to version 2.4.3-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2025-59028

https://security.alpinelinux.org/vuln/CVE-2025-59031

https://security.alpinelinux.org/vuln/CVE-2026-24031

https://security.alpinelinux.org/vuln/CVE-2026-27855

https://security.alpinelinux.org/vuln/CVE-2026-27856

https://security.alpinelinux.org/vuln/CVE-2026-27857

https://security.alpinelinux.org/vuln/CVE-2026-27859

https://security.alpinelinux.org/vuln/CVE-2026-27860

Plugin Details

Severity: High

ID: 439446

Version: Revision 1.7

Type: Local

Published: 3/30/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.5

Percentile: 52.04

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:C/A:N

CVSS Score Source: CVE-2026-24031

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 3/27/2026

Reference Information

CVE: CVE-2025-59028, CVE-2025-59031, CVE-2026-24031, CVE-2026-27855, CVE-2026-27856, CVE-2026-27857, CVE-2026-27859, CVE-2026-27860