{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/centos8.4els/vex/2019/cve-2019-3814-els_os-centos8_4els.json" } ], "tracking": { "current_release_date": "2026-04-20T16:10:12Z", "generator": { "date": "2026-04-20T16:10:12Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2019-3814-ELS_OS-CENTOS8.4ELS", "initial_release_date": "2019-03-27T13:29:00Z", "revision_history": [ { "date": "2019-03-27T13:29:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-04-14T11:44:36Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-04-20T16:10:12Z", "number": "3", "summary": "Update document" } ], "status": "final", "version": "3" }, "title": "Security update on CVE-2019-3814" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Community Enterprise Operating System 8.4", "product": { "name": "Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4", "product_identification_helper": { "cpe": "cpe:2.3:o:centos:centos:8.4:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Community Enterprise Operating System" }, { "branches": [ { "category": "product_version", "name": "dovecot-devel-1:2.3.8-9.el8.x86_64", "product": { "name": "dovecot-devel-1:2.3.8-9.el8.x86_64", "product_id": "dovecot-devel-1:2.3.8-9.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/centos/dovecot-devel@2.3.8-9.el8?arch=x86_64&epoch=1" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "dovecot-devel-1:2.3.8-9.el8.i686", "product": { "name": "dovecot-devel-1:2.3.8-9.el8.i686", "product_id": "dovecot-devel-1:2.3.8-9.el8.i686", "product_identification_helper": { "purl": "pkg:rpm/centos/dovecot-devel@2.3.8-9.el8?arch=i686&epoch=1" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els1.x86_64", "product": { "name": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els1.x86_64", "product_id": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/dovecot-devel@2.3.8-9.el8.tuxcare.els1?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els2.x86_64", "product": { "name": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els2.x86_64", "product_id": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/dovecot-devel@2.3.8-9.el8.tuxcare.els2?arch=x86_64&epoch=1" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els1.i686", "product": { "name": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els1.i686", "product_id": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/dovecot-devel@2.3.8-9.el8.tuxcare.els1?arch=i686&epoch=1" } } }, { "category": "product_version", "name": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els2.i686", "product": { "name": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els2.i686", "product_id": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els2.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/dovecot-devel@2.3.8-9.el8.tuxcare.els2?arch=i686&epoch=1" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.tuxcare.els1.x86_64" }, "product_reference": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-8.4" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els1.i686 as a component of Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.tuxcare.els1.i686" }, "product_reference": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els1.i686", "relates_to_product_reference": "CentOS-8.4" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els2.i686 as a component of Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.tuxcare.els2.i686" }, "product_reference": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els2.i686", "relates_to_product_reference": "CentOS-8.4" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els2.x86_64 as a component of Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.tuxcare.els2.x86_64" }, "product_reference": "dovecot-devel-1:2.3.8-9.el8.tuxcare.els2.x86_64", "relates_to_product_reference": "CentOS-8.4" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-devel-1:2.3.8-9.el8.x86_64 as a component of Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.x86_64" }, "product_reference": "dovecot-devel-1:2.3.8-9.el8.x86_64", "relates_to_product_reference": "CentOS-8.4" }, { "category": "default_component_of", "full_product_name": { "name": "dovecot-devel-1:2.3.8-9.el8.i686 as a component of Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.i686" }, "product_reference": "dovecot-devel-1:2.3.8-9.el8.i686", "relates_to_product_reference": "CentOS-8.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-3814", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "notes": [ { "category": "description", "text": "It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.i686", "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.tuxcare.els1.i686", "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.tuxcare.els1.x86_64", "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.tuxcare.els2.i686", "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.tuxcare.els2.x86_64", "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-3814" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00067.html" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2019:3467", "url": "https://access.redhat.com/errata/RHSA-2019:3467" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3814" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLI55NGRDTGMVOPYFCPPFNPA5VKYSSY/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFZ5OWRIZGIWZJ5PTNVWWZNLLNH4XYS/" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/201904-19", "url": "https://security.gentoo.org/glsa/201904-19" }, { "category": "external", "summary": "https://www.dovecot.org/list/dovecot/2019-February/114575.html", "url": "https://www.dovecot.org/list/dovecot/2019-February/114575.html" } ], "release_date": "2019-03-27T13:29:00Z", "remediations": [ { "category": "no_fix_planned", "details": "This flaw only applies when Dovecot is explicitly configured to both require client TLS certificates and derive the username from the certificate (auth_ssl_require_client_cert=yes and auth_ssl_username_from_cert=yes); default username/password authentication is unaffected. Successful exploitation also requires the attacker to already possess a CA‑trusted client certificate that lacks the configured username field, and it meaningfully enables impersonation only where password verification has been disabled for that service. Given these strict, non‑default prerequisites and the high attack complexity, the practical risk to centrally managed enterprise VM/server deployments is low and the issue can be safely deprioritized.", "product_ids": [ "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.i686", "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.tuxcare.els1.i686", "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.tuxcare.els1.x86_64", "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.tuxcare.els2.i686", "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.tuxcare.els2.x86_64", "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.x86_64" ] } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.0" }, "products": [ "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.i686", "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.tuxcare.els1.i686", "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.tuxcare.els1.x86_64", "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.tuxcare.els2.i686", "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.tuxcare.els2.x86_64", "CentOS-8.4:dovecot-devel-1:2.3.8-9.el8.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }