CVE-2019-11500
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-11500
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11500.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-11500
- Downstream
- Related
- Published
- 2019-08-29T14:15:11Z
- Modified
- 2025-10-28T04:00:08.076594Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.
- References
-
- http://www.openwall.com/lists/oss-security/2019/08/28/3
- https://access.redhat.com/errata/RHSA-2019:2822
- https://access.redhat.com/errata/RHSA-2019:2836
- https://access.redhat.com/errata/RHSA-2019:2885
- https://dovecot.org/pipermail/dovecot-news/2019-August/000417.html
- https://lists.debian.org/debian-lts-announce/2019/08/msg00035.html
- https://security.gentoo.org/glsa/201908-29
- https://www.dovecot.org/security.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00026.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GYTZLLDNIFWT7D7JSB25ERJNMOR4CQ3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KVHY3MU2OK2EWZJFGNDSAOMD42L7DFPX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSJVVVRAE3SITC2ZLGCPMFDN3WVYZBWF/
Affected packages
Git / github.com/dovecot/pigeonhole
Affected ranges
- Type
- GIT
- Repo
- https://github.com/dovecot/pigeonhole
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.4.0
0.4.1
0.4.10
0.4.10.rc1
0.4.10.rc2
0.4.11
0.4.11.rc1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.7.rc1
0.4.7.rc2
0.4.7.rc3
0.4.8
0.4.8.rc1
0.4.8.rc2
0.4.8.rc3
0.4.9
0.4.9.rc1
0.5.7
0.5.7.1
Git / github.com/dovecot/core
Affected ranges
- Type
- GIT
- Repo
- https://github.com/dovecot/core
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.1.alpha1
1.1.alpha2
1.1.alpha4
1.1.alpha5
1.1.alpha6
1.1.beta1
1.1.beta10
1.1.beta11
1.1.beta12
1.1.beta13
1.1.beta14
1.1.beta16
1.1.beta2
1.1.beta3
1.1.beta4
1.1.beta5
1.1.beta6
1.1.beta8
1.1.beta9
1.1.rc1
1.1.rc2
1.1.rc3
1.1.rc4
1.1.rc5
1.1.rc6
1.1.rc7
1.1.rc8
1.2.alpha1
1.2.alpha2
1.2.alpha3
1.2.alpha4
1.2.alpha5
1.2.beta1
1.2.beta2
1.2.beta3
1.2.beta4
1.2.rc1
2.*
2.0.0
2.0.1
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.alpha1
2.0.alpha2
2.0.alpha3
2.0.beta1
2.0.beta2
2.0.beta3
2.0.beta4
2.0.beta5
2.0.beta6
2.0.rc1
2.0.rc2
2.0.rc3
2.0.rc4
2.0.rc5
2.0.rc6
2.1.0
2.1.1
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14
2.1.15
2.1.16
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.alpha1
2.1.alpha2
2.1.beta1
2.1.rc1
2.1.rc2
2.1.rc3
2.1.rc4
2.1.rc5
2.1.rc6
2.1.rc7
2.2.0
2.2.1
2.2.10
2.2.11
2.2.12
2.2.13
2.2.13.rc1
2.2.14
2.2.14.rc1
2.2.15
2.2.16
2.2.16.rc1
2.2.17
2.2.17.rc1
2.2.17.rc2
2.2.18
2.2.19
2.2.19.rc1
2.2.19.rc2
2.2.2
2.2.20
2.2.20.rc1
2.2.3
2.2.36
2.2.36.1
2.2.36.3
2.2.36.rc1
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.alpha1
2.2.beta1
2.2.beta2
2.2.rc1
2.2.rc2
2.2.rc3
2.2.rc4
2.2.rc5
2.2.rc6
2.2.rc7