{
  "threat_severity" : "Important",
  "public_date" : "2020-08-12T12:00:00Z",
  "bugzilla" : {
    "description" : "dovecot: Crash due to assert in RPA implementation",
    "id" : "1866317",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1866317"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-125",
  "details" : [ "In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.", "A flaw was found in dovecot. An attacker can use the way dovecot handles RPA (Remote Passphrase Authentication) to crash the authentication process repeatedly preventing login. The highest threat from this vulnerability is to system availability." ],
  "acknowledgement" : "Red Hat would like to thank the Dovecot project for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-09-03T00:00:00Z",
    "advisory" : "RHSA-2020:3617",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "dovecot-1:2.2.36-6.el7_8.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-09-10T00:00:00Z",
    "advisory" : "RHSA-2020:3713",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dovecot-1:2.3.8-2.el8_2.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions",
    "release_date" : "2020-09-14T00:00:00Z",
    "advisory" : "RHSA-2020:3735",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.0",
    "package" : "dovecot-1:2.2.36-5.el8_0.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.1 Extended Update Support",
    "release_date" : "2020-09-14T00:00:00Z",
    "advisory" : "RHSA-2020:3736",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.1",
    "package" : "dovecot-1:2.2.36-10.el8_1.2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "dovecot",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "dovecot",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-12674\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-12674\nhttps://dovecot.org/pipermail/dovecot-news/2020-August/000443.html" ],
  "name" : "CVE-2020-12674",
  "mitigation" : {
    "value" : "Upstream suggests that this flaw can be mitigated by disabling RPA (Remote Passphrase Authentication). RPA can be disabled by using the configuration parameter \"auth_mechanisms\". More details available at: https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/",
    "lang" : "en:us"
  },
  "csaw" : false
}