VDB

ALPINE-CVE-2019-11500

ALPINE-CVE-2019-11500 PUBLISHED CVSS 9.800000190734863 CRITICAL

In Dovecot before 2.2.36.4 and 2.3.x before 2.3.7.2 (and Pigeonhole before 0.5.7.2), protocol processing can fail for quoted strings. This occurs because '\0' characters are mishandled, and can lead to out-of-bounds writes and remote code execution.

Risk Scores

CVSS v3.0
9.800000190734863
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Alpine:v3.11dovecot2.2.22-r0, 2.2.32-r0, 2.3.2.1-r3
Alpine:v3.21dovecot2.0.5-r0, 2.2.10-r0, 2.2.1-r0
Alpine:v3.9dovecot1.2.11-r5, 1.2.12-r0, 1.2.12-r1
Alpine:v3.20dovecot1.1.14-r1, 1.1.15-r0, 1.1.16-r0
Alpine:v3.13dovecot2.2.25-r0, 2.2.10-r0, 2.2.1-r0
Alpine:v3.16dovecot2.3.2.1-r1, 0, 1.1.11-r0
Alpine:v3.23dovecot2.1.9-r0, 0, 1.1.11-r0
Alpine:v3.10dovecot2.0.7-r0, 2.2.27-r1, 2.2.26.0-r0
Alpine:v3.12dovecot2.2.23-r1, 2.2.24-r0, 2.2.24-r1
Alpine:v3.15dovecot2.0.16-r0, 0, 1.1.11-r1
Alpine:v3.14dovecot1.1.16-r0, 1.1.15-r0, 1.1.14-r1
Alpine:v3.8dovecot2.2.10-r0, 2.3.6-r0, 2.3.5.1-r0
Alpine:v3.19dovecot1.1.14-r1, 1.1.15-r0, 1.1.16-r0
Alpine:v3.7dovecot0, 1.1.11-r0, 1.1.11-r1
Alpine:v3.17dovecot2.3.7.1-r0, 0, 1.1.11-r0
Alpine:v3.22dovecot2.3.7.1-r0, 2.3.7-r0, 2.3.6-r1
Alpine:v3.18dovecot2.3.7.1-r0, 2.3.7-r0, 2.3.6-r1

Timeline

  • Aug 29, 2019 CVE Published
  • Dec 3, 2025 CVE Updated
  • Apr 30, 2026 Distribution Patch

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›