EUVD-2025-209092
GHSA-w2gj-cmfm-c4j4
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Tags
Description
ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively upgrade to a fixed version. No publicly available exploits are known.
Analysis
OX Dovecot Pro ManageSieve service crashes when processing AUTHENTICATE commands with SASL initial responses using literal format, enabling unauthenticated remote attackers to repeatedly crash the service and deny availability to legitimate users (CVSS 7.5, High availability impact). The vulnerability affects OX Dovecot Pro installations with ManageSieve enabled. No public exploit identified at time of analysis, and EPSS data was not provided in available intelligence.
Technical Context
The vulnerability resides in the ManageSieve protocol implementation within OX Dovecot Pro (CPE cpe:2.3:a:open-xchange_gmbh:ox_dovecot_pro). ManageSieve is an IETF protocol (RFC 5804) that allows users to manage server-side mail filtering rules (Sieve scripts). The flaw is classified as CWE-20 (Improper Input Validation), indicating the service fails to properly validate or handle literal syntax when used as a SASL (Simple Authentication and Security Layer) initial response during the AUTHENTICATE command sequence. This input validation failure causes the ManageSieve process to crash, requiring restart and disrupting service availability for all users attempting to manage their mail filters.
Affected Products
OX Dovecot Pro installations are affected, as confirmed via CPE identifier cpe:2.3:a:open-xchange_gmbh:ox_dovecot_pro. The vulnerability specifically impacts deployments with the ManageSieve service enabled and network-accessible. Complete version range information was not provided in available intelligence sources. The vendor Open-Xchange GmbH has published a security advisory in CSAF format available at https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json which should contain definitive affected version details and product-specific guidance.
Remediation
Upgrade to the fixed version of OX Dovecot Pro as specified in the vendor security advisory at https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json. Until patching is possible, implement network-level access controls to restrict ManageSieve port access (typically TCP 4190) to only trusted IP ranges or authenticated VPN connections. Organizations not requiring server-side Sieve script management capabilities should disable the ManageSieve service entirely in the Dovecot configuration (set protocols to exclude managesieve). The vendor advisory references a patch available per the CSAF document, though the exact fixed version number was not included in the analyzed intelligence feed.
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| trusty | needed | - |
| xenial | needed | - |
| bionic | needed | - |
| focal | needed | - |
| jammy | needed | - |
| noble | needed | - |
| questing | needed | - |
| upstream | released | 2.4.3 |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 1:2.3.13+dfsg1-2+deb11u1 | - |
| bullseye (security) | vulnerable | 1:2.3.13+dfsg1-2+deb11u2 | - |
| bookworm, bookworm (security) | vulnerable | 1:2.3.19.1+dfsg1-2.1+deb12u1 | - |
| trixie | vulnerable | 1:2.4.1+dfsg1-6+deb13u3 | - |
| trixie (security) | vulnerable | 1:2.4.1+dfsg1-6+deb13u1 | - |
| forky, sid | vulnerable | 1:2.4.2+dfsg1-4 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today