Bug 1201267 - (CVE-2022-30550) VUL-0: CVE-2022-30550: dovecot22,dovecot23: Privilege escalation possible in dovecot when similar master and non-master passdbs are used
(CVE-2022-30550)
VUL-0: CVE-2022-30550: dovecot22,dovecot23: Privilege escalation possible in ...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Peter Varkoly
Security Team bot
https://smash.suse.de/issue/336327/
CVSSv3.1:SUSE:CVE-2022-30550:6.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-06 16:13 UTC by Marcus Meissner
Modified: 2022-08-01 13:46 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2022-07-06 16:13:11 UTC
CVE-2022-30550

Posted by Aki Tuomi on Jul 06Affected product: Dovecot IMAP Server 
Internal reference: DOV-5320
Vulnerability type: Improper Access Control (CWE-284) 
Vulnerable version: 2.2
Vulnerable component: submission 
Report confidence: Confirmed 
Solution status: Fixed in main
Researcher credits: Julian Brook (julezman)
Vendor notification: 2022-05-06 
CVE reference: CVE-2022-30550
CVSS: 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N) 

Vulnerability Details: 
When two passdb...

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30550
https://seclists.org/oss-sec/2022/q3/33
Comment 1 Marcus Meissner 2022-07-06 16:28:57 UTC
the advisory says 2.2 ... but 2.3 looks similar
Comment 2 Swamp Workflow Management 2022-07-18 22:16:26 UTC
SUSE-SU-2022:2432-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1201267
CVE References: CVE-2022-30550
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    dovecot23-2.3.15-150100.31.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    dovecot23-2.3.15-150100.31.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    dovecot23-2.3.15-150100.31.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    dovecot23-2.3.15-150100.31.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    dovecot23-2.3.15-150100.31.1
SUSE Enterprise Storage 6 (src):    dovecot23-2.3.15-150100.31.1
SUSE CaaS Platform 4.0 (src):    dovecot23-2.3.15-150100.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 3 Swamp Workflow Management 2022-07-18 22:17:06 UTC
SUSE-SU-2022:2431-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1201267
CVE References: CVE-2022-30550
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    dovecot23-2.3.15-150000.4.42.1
SUSE Linux Enterprise Server 15-LTSS (src):    dovecot23-2.3.15-150000.4.42.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    dovecot23-2.3.15-150000.4.42.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    dovecot23-2.3.15-150000.4.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2022-07-20 13:16:46 UTC
SUSE-SU-2022:2448-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1201267
CVE References: CVE-2022-30550
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    dovecot23-2.3.15-150200.62.1
openSUSE Leap 15.3 (src):    dovecot23-2.3.15-150200.62.1
SUSE Manager Server 4.1 (src):    dovecot23-2.3.15-150200.62.1
SUSE Manager Retail Branch Server 4.1 (src):    dovecot23-2.3.15-150200.62.1
SUSE Manager Proxy 4.1 (src):    dovecot23-2.3.15-150200.62.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    dovecot23-2.3.15-150200.62.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    dovecot23-2.3.15-150200.62.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    dovecot23-2.3.15-150200.62.1
SUSE Linux Enterprise Module for Server Applications 15-SP4 (src):    dovecot23-2.3.15-150200.62.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    dovecot23-2.3.15-150200.62.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    dovecot23-2.3.15-150200.62.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    dovecot23-2.3.15-150200.62.1
SUSE Enterprise Storage 7 (src):    dovecot23-2.3.15-150200.62.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2022-08-01 13:46:46 UTC
SUSE-SU-2022:2618-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1201267
CVE References: CVE-2022-30550
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    dovecot22-2.2.31-19.29.1
SUSE OpenStack Cloud 9 (src):    dovecot22-2.2.31-19.29.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    dovecot22-2.2.31-19.29.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    dovecot22-2.2.31-19.29.1
SUSE Linux Enterprise Server 12-SP5 (src):    dovecot22-2.2.31-19.29.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    dovecot22-2.2.31-19.29.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    dovecot22-2.2.31-19.29.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    dovecot22-2.2.31-19.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.