A flaw was found in dovecot before version 2.3.13. When imap hibernation is active, an attacker can cause Dovecot to discover file system directory structure and access other users' emails using specially crafted command. The attacker must have valid credentials to access the mail server. References: https://www.openwall.com/lists/oss-security/2021/01/04/4 https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
Created dovecot tracking bugs for this issue: Affects: fedora-all [bug 1912456]
Mitigation: To mitigate this flaw, ensure that imap_hibernate_timeout is set to 0 or not set at all/commented out in both /etc/dovecot/dovecot.conf or /etc/dovecot/conf.d/20-imap.conf.
Upstream commit: https://github.com/dovecot/core/commit/62061e8cf68f506c0ccaaba21fd4174764ca875f
External References: https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1887 https://access.redhat.com/errata/RHSA-2021:1887
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-24386