Detections
Analytics

FreeBSD : dovecot -- Dovecot DoS when passdb dict was used for authentication (a8c8001b-216c-11e7-80aa-005056925db4)

high Nessus Plugin ID 99750

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Timo Sirainen reports :

passdb/userdb dict: Don't double-expand %variables in keys. If dict was used as the authentication passdb, using specially crafted %variables in the username could be used to cause DoS.

Solution

Update the affected packages.

See Also

https://dovecot.org/list/dovecot-news/2017-April/000341.html

https://dovecot.org/list/dovecot-news/2017-April/000342.html

http://www.nessus.org/u?14a65596

Plugin Details

Severity: High

ID: 99750

File Name: freebsd_pkg_a8c8001b216c11e780aa005056925db4.nasl

Version: 3.7

Type: local

Published: 5/1/2017

Updated: 12/23/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2017-2669

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:freebsd:freebsd, p-cpe:/a:freebsd:freebsd:dovecot, p-cpe:/a:freebsd:freebsd:dovecot2

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 4/30/2017

Vulnerability Publication Date: 12/1/2016

Reference Information

CVE: CVE-2017-2669