{
  "threat_severity" : "Moderate",
  "public_date" : "2019-04-18T00:00:00Z",
  "bugzilla" : {
    "description" : "dovecot: Mishandling invalid UTF-8 characters by JSON encoder leading to possible DoS attack.",
    "id" : "1701216",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1701216"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-228",
  "details" : [ "The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username." ],
  "statement" : "A flaw was found in the JSON encoder in dovecot, which an attacker could use to crash the application via usage of invalid UTF-8 characters in the login name during authentication or by using invalid UTF-8 sequence in email when OX push notification driver is enabled. The versions of dovecot shipped with Red Hat Enterprise Linux did not ship the vulnerable code and therefore were not affected by this flaw.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "dovecot",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "dovecot",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "dovecot",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "dovecot",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-10691\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10691" ],
  "name" : "CVE-2019-10691",
  "csaw" : false
}