NVD Vulnerability Detail

CVE-2019-3814

Summary	It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.
Publication Date	March 27, 2019, 10:29 p.m.
Registration Date	Jan. 26, 2021, 11:42 a.m.
Last Update	Nov. 21, 2024, 1:42 p.m.

Affected software configurations

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:12.04::::esm:::
cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:18.10:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:o:opensuse:leap:42.3:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html	Mailing List Third Party Advisory
2	http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html	Mailing List Third Party Advisory
3	https://access.redhat.com/errata/RHSA-2019:3467
4	https://access.redhat.com/errata/RHSA-2019:3467
5	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814	Issue Tracking Release Notes Third Party Advisory
6	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814	Issue Tracking Release Notes Third Party Advisory
7	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/
8	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/
9	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/
10	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/
11	https://security.gentoo.org/glsa/201904-19
12	https://security.gentoo.org/glsa/201904-19
13	https://www.dovecot.org/list/dovecot/2019-February/114575.html	Exploit Mailing List Vendor Advisory
14	https://www.dovecot.org/list/dovecot/2019-February/114575.html	Exploit Mailing List Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-295	不正な証明書検証	https://cwe.mitre.org/data/definitions/295.html

JVN Vulnerability Information

Dovecot における証明書検証に関する脆弱性

Title	Dovecot における証明書検証に関する脆弱性
Summary	Dovecot には、証明書検証に関する脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 20, 2019, midnight
Registration Date	April 26, 2019, 10:05 a.m.
Last Update	April 26, 2019, 10:05 a.m.

Affected System

Canonical

Ubuntu

Timo Sirainen

Dovecot 2.2.36.1 未満

Dovecot 2.3.4.1 未満

openSUSE project

openSUSE Leap

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2019-3814	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3814
dovecot
2	CVE-2019-3814: Suitable client certificate can be used to login as other user	https://www.dovecot.org/list/dovecot/2019-February/114575.html
National Vulnerability Database (NVD)
3	CVE-2019-3814	https://nvd.nist.gov/vuln/detail/CVE-2019-3814

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-295	https://cwe.mitre.org/data/definitions/295.html

ベンダー情報

No	Name	URL
Canonical
1	ubuntu	https://jp.ubuntu.com/
opensuse-security-announce
2	openSUSE-SU-2019:1220	http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html

その他

No	Name	URL
関連文書
1	Bug 1673415	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814

Change Log

No	Changed Details	Date of change
1	[2019年04月26日] 掲載	April 26, 2019, 10:05 a.m.