oss-sec mailing list archives
CVE-2021-29157: Dovecot oauth2 JWT local validation path traversal
From: Aki Tuomi <aki.tuomi () dovecot fi>
Date: Mon, 28 Jun 2021 09:58:23 +0300 (EEST)
Open-Xchange Security Advisory 2021-06-28 Affected product: Dovecot IMAP Server Vendor: OX Software GmbH Internal reference: DOP-2159 Vulnerability type: Path Traversal (CWE-24) Vulnerable version: 2.3.11 Vulnerable component: oauth2 Report confidence: Confirmed Solution status: Fixed in 2.3.15 Researcher credits: Kirin of Tencent Security Xuanwu Lab. Vendor notification: 2021-03-22 CVE reference: CVE-2021-29157 CVSS: 6.7 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) Vulnerability Details: If attacker can gain access to local filesystem, it is possible to trick Dovecot to use attacker specified key to validate tokens. Steps to reproduce: Configure Dovecot to perform OAUTH2 authentication with local JWT validation using posix fs driver. Place base64 encoded HS256 shared key in a location that is readable by dovecot, and use ../../../../../location/to/path as key azp. You can now forge tokens and authenticate as any valid user. Risk: Attacker can gain access using forged credentials. Solution: Upgrade to fixed version.
Current thread:
- CVE-2021-29157: Dovecot oauth2 JWT local validation path traversal Aki Tuomi (Jun 28)