It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.
The product does not validate, or incorrectly validates, a certificate.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Dovecot | Dovecot | 1.1.0 (including) | 2.2.36.1 (excluding) |
Dovecot | Dovecot | 2.3.0 (including) | 2.3.4.1 (excluding) |