CVE-2021-29157: Dovecot oauth2 JWT local validation path traversal

[Aki Tuomi <aki.tuomi () dovecot fi>]

Open-Xchange Security Advisory 2021-06-28

Affected product: Dovecot IMAP Server
Vendor: OX Software GmbH

Internal reference: DOP-2159 
Vulnerability type: Path Traversal (CWE-24)
Vulnerable version: 2.3.11
Vulnerable component: oauth2
Report confidence: Confirmed
Solution status: Fixed in 2.3.15
Researcher credits: Kirin of Tencent Security Xuanwu Lab.
Vendor notification: 2021-03-22
CVE reference: CVE-2021-29157
CVSS: 6.7 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Vulnerability Details:
If attacker can gain access to local filesystem, it is possible to trick Dovecot to use attacker specified key to 
validate tokens.

Steps to reproduce:

Configure Dovecot to perform OAUTH2 authentication with local JWT validation using posix fs driver.

Place base64 encoded HS256 shared key in a location that is readable by dovecot, and use 
../../../../../location/to/path as key azp. 

You can now forge tokens and authenticate as any valid user.

Risk:
Attacker can gain access using forged credentials.

Solution:
Upgrade to fixed version.