Vulnerability Description
Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dovecot | Dovecot | 2.0.0 |
Related Weaknesses (CWE)
References
- http://hg.dovecot.org/dovecot-2.0/rev/5e9eaf63a6b1
- http://rhn.redhat.com/errata/RHSA-2013-0520.htmlVendor Advisory
- http://secunia.com/advisories/46886
- http://secunia.com/advisories/52311Vendor Advisory
- http://www.dovecot.org/list/dovecot-news/2011-November/000200.html
- http://www.openwall.com/lists/oss-security/2011/11/18/5
- http://www.openwall.com/lists/oss-security/2011/11/18/7
- https://bugs.gentoo.org/show_bug.cgi?id=390887
- https://bugzilla.redhat.com/show_bug.cgi?id=754980
- http://hg.dovecot.org/dovecot-2.0/rev/5e9eaf63a6b1
- http://rhn.redhat.com/errata/RHSA-2013-0520.htmlVendor Advisory
- http://secunia.com/advisories/46886
- http://secunia.com/advisories/52311Vendor Advisory
- http://www.dovecot.org/list/dovecot-news/2011-November/000200.html
- http://www.openwall.com/lists/oss-security/2011/11/18/5
FAQ
What is CVE-2011-4318?
CVE-2011-4318 is a vulnerability with a CVSS score of 5.8 (MEDIUM). Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Commo...
How severe is CVE-2011-4318?
CVE-2011-4318 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2011-4318?
Check the references section above for vendor advisories and patch information. Affected products include: Dovecot Dovecot.