UBUNTU-CVE-2025-59031

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-59031

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-59031.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-59031

Upstream

CVE-2025-59031

Related

USN-8136-1

Published

2026-03-27T00:00:00Z

Modified

2026-04-22T16:07:10.327224Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Ubuntu - low

Summary

[none]

Details

Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS tika. No publicly available exploits are known.

References

Affected packages

Ubuntu:16.04:LTS

dovecot

Package

Name: dovecot
Purl: pkg:deb/ubuntu/dovecot@1:2.2.22-1ubuntu2.14?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:2.*

1:2.2.18-2ubuntu2

1:2.2.22-1ubuntu1

1:2.2.22-1ubuntu2

1:2.2.22-1ubuntu2.1

1:2.2.22-1ubuntu2.2

1:2.2.22-1ubuntu2.3

1:2.2.22-1ubuntu2.4

1:2.2.22-1ubuntu2.6

1:2.2.22-1ubuntu2.7

1:2.2.22-1ubuntu2.8

1:2.2.22-1ubuntu2.9

1:2.2.22-1ubuntu2.10

1:2.2.22-1ubuntu2.11

1:2.2.22-1ubuntu2.12

1:2.2.22-1ubuntu2.13

1:2.2.22-1ubuntu2.14

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "dovecot-core",
            "binary_version": "1:2.2.22-1ubuntu2.14"
        },
        {
            "binary_name": "dovecot-gssapi",
            "binary_version": "1:2.2.22-1ubuntu2.14"
        },
        {
            "binary_name": "dovecot-imapd",
            "binary_version": "1:2.2.22-1ubuntu2.14"
        },
        {
            "binary_name": "dovecot-ldap",
            "binary_version": "1:2.2.22-1ubuntu2.14"
        },
        {
            "binary_name": "dovecot-lmtpd",
            "binary_version": "1:2.2.22-1ubuntu2.14"
        },
        {
            "binary_name": "dovecot-lucene",
            "binary_version": "1:2.2.22-1ubuntu2.14"
        },
        {
            "binary_name": "dovecot-managesieved",
            "binary_version": "1:2.2.22-1ubuntu2.14"
        },
        {
            "binary_name": "dovecot-mysql",
            "binary_version": "1:2.2.22-1ubuntu2.14"
        },
        {
            "binary_name": "dovecot-pgsql",
            "binary_version": "1:2.2.22-1ubuntu2.14"
        },
        {
            "binary_name": "dovecot-pop3d",
            "binary_version": "1:2.2.22-1ubuntu2.14"
        },
        {
            "binary_name": "dovecot-sieve",
            "binary_version": "1:2.2.22-1ubuntu2.14"
        },
        {
            "binary_name": "dovecot-solr",
            "binary_version": "1:2.2.22-1ubuntu2.14"
        },
        {
            "binary_name": "dovecot-sqlite",
            "binary_version": "1:2.2.22-1ubuntu2.14"
        },
        {
            "binary_name": "mail-stack-delivery",
            "binary_version": "1:2.2.22-1ubuntu2.14"
        }
    ],
    "priority_reason": "The affected script is shipped as an example"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-59031.json"

Ubuntu:18.04:LTS

dovecot

Package

Name: dovecot
Purl: pkg:deb/ubuntu/dovecot@1:2.2.33.2-1ubuntu4.8?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:2.*

1:2.2.27-3ubuntu1

1:2.2.33.2-1ubuntu1

1:2.2.33.2-1ubuntu2

1:2.2.33.2-1ubuntu3

1:2.2.33.2-1ubuntu4

1:2.2.33.2-1ubuntu4.1

1:2.2.33.2-1ubuntu4.2

1:2.2.33.2-1ubuntu4.3

1:2.2.33.2-1ubuntu4.4

1:2.2.33.2-1ubuntu4.5

1:2.2.33.2-1ubuntu4.6

1:2.2.33.2-1ubuntu4.7

1:2.2.33.2-1ubuntu4.8

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "dovecot-core",
            "binary_version": "1:2.2.33.2-1ubuntu4.8"
        },
        {
            "binary_name": "dovecot-gssapi",
            "binary_version": "1:2.2.33.2-1ubuntu4.8"
        },
        {
            "binary_name": "dovecot-imapd",
            "binary_version": "1:2.2.33.2-1ubuntu4.8"
        },
        {
            "binary_name": "dovecot-ldap",
            "binary_version": "1:2.2.33.2-1ubuntu4.8"
        },
        {
            "binary_name": "dovecot-lmtpd",
            "binary_version": "1:2.2.33.2-1ubuntu4.8"
        },
        {
            "binary_name": "dovecot-managesieved",
            "binary_version": "1:2.2.33.2-1ubuntu4.8"
        },
        {
            "binary_name": "dovecot-mysql",
            "binary_version": "1:2.2.33.2-1ubuntu4.8"
        },
        {
            "binary_name": "dovecot-pgsql",
            "binary_version": "1:2.2.33.2-1ubuntu4.8"
        },
        {
            "binary_name": "dovecot-pop3d",
            "binary_version": "1:2.2.33.2-1ubuntu4.8"
        },
        {
            "binary_name": "dovecot-sieve",
            "binary_version": "1:2.2.33.2-1ubuntu4.8"
        },
        {
            "binary_name": "dovecot-solr",
            "binary_version": "1:2.2.33.2-1ubuntu4.8"
        },
        {
            "binary_name": "dovecot-sqlite",
            "binary_version": "1:2.2.33.2-1ubuntu4.8"
        },
        {
            "binary_name": "mail-stack-delivery",
            "binary_version": "1:2.2.33.2-1ubuntu4.8"
        }
    ],
    "priority_reason": "The affected script is shipped as an example"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-59031.json"

Ubuntu:20.04:LTS

dovecot

Package

Name: dovecot
Purl: pkg:deb/ubuntu/dovecot@1:2.3.7.2-1ubuntu3.7?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:2.*

1:2.3.4.1-5ubuntu3

1:2.3.7.2-1ubuntu1

1:2.3.7.2-1ubuntu2

1:2.3.7.2-1ubuntu3

1:2.3.7.2-1ubuntu3.1

1:2.3.7.2-1ubuntu3.2

1:2.3.7.2-1ubuntu3.3

1:2.3.7.2-1ubuntu3.4

1:2.3.7.2-1ubuntu3.5

1:2.3.7.2-1ubuntu3.6

1:2.3.7.2-1ubuntu3.7

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "dovecot-auth-lua",
            "binary_version": "1:2.3.7.2-1ubuntu3.7"
        },
        {
            "binary_name": "dovecot-core",
            "binary_version": "1:2.3.7.2-1ubuntu3.7"
        },
        {
            "binary_name": "dovecot-gssapi",
            "binary_version": "1:2.3.7.2-1ubuntu3.7"
        },
        {
            "binary_name": "dovecot-imapd",
            "binary_version": "1:2.3.7.2-1ubuntu3.7"
        },
        {
            "binary_name": "dovecot-ldap",
            "binary_version": "1:2.3.7.2-1ubuntu3.7"
        },
        {
            "binary_name": "dovecot-lmtpd",
            "binary_version": "1:2.3.7.2-1ubuntu3.7"
        },
        {
            "binary_name": "dovecot-lucene",
            "binary_version": "1:2.3.7.2-1ubuntu3.7"
        },
        {
            "binary_name": "dovecot-managesieved",
            "binary_version": "1:2.3.7.2-1ubuntu3.7"
        },
        {
            "binary_name": "dovecot-mysql",
            "binary_version": "1:2.3.7.2-1ubuntu3.7"
        },
        {
            "binary_name": "dovecot-pgsql",
            "binary_version": "1:2.3.7.2-1ubuntu3.7"
        },
        {
            "binary_name": "dovecot-pop3d",
            "binary_version": "1:2.3.7.2-1ubuntu3.7"
        },
        {
            "binary_name": "dovecot-sieve",
            "binary_version": "1:2.3.7.2-1ubuntu3.7"
        },
        {
            "binary_name": "dovecot-solr",
            "binary_version": "1:2.3.7.2-1ubuntu3.7"
        },
        {
            "binary_name": "dovecot-sqlite",
            "binary_version": "1:2.3.7.2-1ubuntu3.7"
        },
        {
            "binary_name": "dovecot-submissiond",
            "binary_version": "1:2.3.7.2-1ubuntu3.7"
        },
        {
            "binary_name": "mail-stack-delivery",
            "binary_version": "1:2.3.7.2-1ubuntu3.7"
        }
    ],
    "priority_reason": "The affected script is shipped as an example"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-59031.json"

Ubuntu:22.04:LTS

dovecot

Package

Name: dovecot
Purl: pkg:deb/ubuntu/dovecot@1:2.3.16+dfsg1-3ubuntu2.7?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.3.16+dfsg1-3ubuntu2.7

Affected versions

1:2.*

1:2.3.13+dfsg1-1ubuntu3

1:2.3.16+dfsg1-3ubuntu1

1:2.3.16+dfsg1-3ubuntu2

1:2.3.16+dfsg1-3ubuntu2.1

1:2.3.16+dfsg1-3ubuntu2.2

1:2.3.16+dfsg1-3ubuntu2.4

1:2.3.16+dfsg1-3ubuntu2.6

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "dovecot-auth-lua",
            "binary_version": "1:2.3.16+dfsg1-3ubuntu2.7"
        },
        {
            "binary_name": "dovecot-core",
            "binary_version": "1:2.3.16+dfsg1-3ubuntu2.7"
        },
        {
            "binary_name": "dovecot-gssapi",
            "binary_version": "1:2.3.16+dfsg1-3ubuntu2.7"
        },
        {
            "binary_name": "dovecot-imapd",
            "binary_version": "1:2.3.16+dfsg1-3ubuntu2.7"
        },
        {
            "binary_name": "dovecot-ldap",
            "binary_version": "1:2.3.16+dfsg1-3ubuntu2.7"
        },
        {
            "binary_name": "dovecot-lmtpd",
            "binary_version": "1:2.3.16+dfsg1-3ubuntu2.7"
        },
        {
            "binary_name": "dovecot-lucene",
            "binary_version": "1:2.3.16+dfsg1-3ubuntu2.7"
        },
        {
            "binary_name": "dovecot-managesieved",
            "binary_version": "1:2.3.16+dfsg1-3ubuntu2.7"
        },
        {
            "binary_name": "dovecot-mysql",
            "binary_version": "1:2.3.16+dfsg1-3ubuntu2.7"
        },
        {
            "binary_name": "dovecot-pgsql",
            "binary_version": "1:2.3.16+dfsg1-3ubuntu2.7"
        },
        {
            "binary_name": "dovecot-pop3d",
            "binary_version": "1:2.3.16+dfsg1-3ubuntu2.7"
        },
        {
            "binary_name": "dovecot-sieve",
            "binary_version": "1:2.3.16+dfsg1-3ubuntu2.7"
        },
        {
            "binary_name": "dovecot-solr",
            "binary_version": "1:2.3.16+dfsg1-3ubuntu2.7"
        },
        {
            "binary_name": "dovecot-sqlite",
            "binary_version": "1:2.3.16+dfsg1-3ubuntu2.7"
        },
        {
            "binary_name": "dovecot-submissiond",
            "binary_version": "1:2.3.16+dfsg1-3ubuntu2.7"
        }
    ],
    "availability": "No subscription required",
    "priority_reason": "The affected script is shipped as an example"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-59031.json"

Ubuntu:24.04:LTS

dovecot

Package

Name: dovecot
Purl: pkg:deb/ubuntu/dovecot@1:2.3.21+dfsg1-2ubuntu6.3?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.3.21+dfsg1-2ubuntu6.3

Affected versions

1:2.*

1:2.3.20+dfsg1-1ubuntu3

1:2.3.21+dfsg1-2ubuntu1

1:2.3.21+dfsg1-2ubuntu2

1:2.3.21+dfsg1-2ubuntu4

1:2.3.21+dfsg1-2ubuntu5

1:2.3.21+dfsg1-2ubuntu6

1:2.3.21+dfsg1-2ubuntu6.1

1:2.3.21+dfsg1-2ubuntu6.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "dovecot-auth-lua",
            "binary_version": "1:2.3.21+dfsg1-2ubuntu6.3"
        },
        {
            "binary_name": "dovecot-core",
            "binary_version": "1:2.3.21+dfsg1-2ubuntu6.3"
        },
        {
            "binary_name": "dovecot-gssapi",
            "binary_version": "1:2.3.21+dfsg1-2ubuntu6.3"
        },
        {
            "binary_name": "dovecot-imapd",
            "binary_version": "1:2.3.21+dfsg1-2ubuntu6.3"
        },
        {
            "binary_name": "dovecot-ldap",
            "binary_version": "1:2.3.21+dfsg1-2ubuntu6.3"
        },
        {
            "binary_name": "dovecot-lmtpd",
            "binary_version": "1:2.3.21+dfsg1-2ubuntu6.3"
        },
        {
            "binary_name": "dovecot-managesieved",
            "binary_version": "1:2.3.21+dfsg1-2ubuntu6.3"
        },
        {
            "binary_name": "dovecot-mysql",
            "binary_version": "1:2.3.21+dfsg1-2ubuntu6.3"
        },
        {
            "binary_name": "dovecot-pgsql",
            "binary_version": "1:2.3.21+dfsg1-2ubuntu6.3"
        },
        {
            "binary_name": "dovecot-pop3d",
            "binary_version": "1:2.3.21+dfsg1-2ubuntu6.3"
        },
        {
            "binary_name": "dovecot-sieve",
            "binary_version": "1:2.3.21+dfsg1-2ubuntu6.3"
        },
        {
            "binary_name": "dovecot-solr",
            "binary_version": "1:2.3.21+dfsg1-2ubuntu6.3"
        },
        {
            "binary_name": "dovecot-sqlite",
            "binary_version": "1:2.3.21+dfsg1-2ubuntu6.3"
        },
        {
            "binary_name": "dovecot-submissiond",
            "binary_version": "1:2.3.21+dfsg1-2ubuntu6.3"
        }
    ],
    "availability": "No subscription required",
    "priority_reason": "The affected script is shipped as an example"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-59031.json"

Ubuntu:25.10

dovecot

Package

Name: dovecot
Purl: pkg:deb/ubuntu/dovecot@1:2.4.1+dfsg1-5ubuntu4.1?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.4.1+dfsg1-5ubuntu4.1

Affected versions

1:2.*

1:2.3.21.1+dfsg1-1ubuntu2

1:2.4.1+dfsg1-5ubuntu1

1:2.4.1+dfsg1-5ubuntu3

1:2.4.1+dfsg1-5ubuntu4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "dovecot-auth-lua",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-core",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-flatcurve",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-gssapi",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-imapd",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-ldap",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-lmtpd",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-managesieved",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-mysql",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-pgsql",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-pop3d",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-sieve",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-solr",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-sqlite",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        },
        {
            "binary_name": "dovecot-submissiond",
            "binary_version": "1:2.4.1+dfsg1-5ubuntu4.1"
        }
    ],
    "availability": "No subscription required",
    "priority_reason": "The affected script is shipped as an example"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-59031.json"

Ubuntu:Pro:14.04:LTS

dovecot

Package

Name: dovecot
Purl: pkg:deb/ubuntu/dovecot@1:2.2.9-1ubuntu2.6+esm4?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:2.*

1:2.1.7-7ubuntu3

1:2.2.9-1ubuntu1

1:2.2.9-1ubuntu2

1:2.2.9-1ubuntu2.1

1:2.2.9-1ubuntu2.3

1:2.2.9-1ubuntu2.4

1:2.2.9-1ubuntu2.5

1:2.2.9-1ubuntu2.6

1:2.2.9-1ubuntu2.6+esm1

1:2.2.9-1ubuntu2.6+esm2

1:2.2.9-1ubuntu2.6+esm3

1:2.2.9-1ubuntu2.6+esm4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "dovecot-core",
            "binary_version": "1:2.2.9-1ubuntu2.6+esm4"
        },
        {
            "binary_name": "dovecot-gssapi",
            "binary_version": "1:2.2.9-1ubuntu2.6+esm4"
        },
        {
            "binary_name": "dovecot-imapd",
            "binary_version": "1:2.2.9-1ubuntu2.6+esm4"
        },
        {
            "binary_name": "dovecot-ldap",
            "binary_version": "1:2.2.9-1ubuntu2.6+esm4"
        },
        {
            "binary_name": "dovecot-lmtpd",
            "binary_version": "1:2.2.9-1ubuntu2.6+esm4"
        },
        {
            "binary_name": "dovecot-managesieved",
            "binary_version": "1:2.2.9-1ubuntu2.6+esm4"
        },
        {
            "binary_name": "dovecot-mysql",
            "binary_version": "1:2.2.9-1ubuntu2.6+esm4"
        },
        {
            "binary_name": "dovecot-pgsql",
            "binary_version": "1:2.2.9-1ubuntu2.6+esm4"
        },
        {
            "binary_name": "dovecot-pop3d",
            "binary_version": "1:2.2.9-1ubuntu2.6+esm4"
        },
        {
            "binary_name": "dovecot-sieve",
            "binary_version": "1:2.2.9-1ubuntu2.6+esm4"
        },
        {
            "binary_name": "dovecot-solr",
            "binary_version": "1:2.2.9-1ubuntu2.6+esm4"
        },
        {
            "binary_name": "dovecot-sqlite",
            "binary_version": "1:2.2.9-1ubuntu2.6+esm4"
        },
        {
            "binary_name": "mail-stack-delivery",
            "binary_version": "1:2.2.9-1ubuntu2.6+esm4"
        }
    ],
    "priority_reason": "The affected script is shipped as an example"
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-59031.json"