Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens in some configurations. This requires attacker to be able to write files to local disk. Workaround: Disable local JWT validation in oauth2, or use a different dict driver than fs:posix. Reference: https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html
Created dovecot tracking bugs for this issue: Affects: fedora-all [bug 1974392]
Upstream fix : https://github.com/dovecot/core/commit/15682a20d5589ebf5496b31c55ecf9238ff2457b https://github.com/dovecot/core/commit/368adea6d911d4012274ea1ff5d950a141f1ee89 https://github.com/dovecot/core/commit/dde02b27dfbdad6ed7c1320fba26faad995ee289 https://github.com/dovecot/core/commit/137558d31ce73359b19dbfc0621d16d32176a16e https://github.com/dovecot/core/commit/cf8f670629cf2b9ff862eb42d5446ac4a9383a84 https://github.com/dovecot/core/commit/8b716828c4a4ba11f2189ce002b80bf62a74538e https://github.com/dovecot/core/commit/1db66e39500672bc167d5e4e2e7232b8f7d87c05