Early Access — Mondoo Vulnerability Intelligence is currently in preview.
Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.
Exploitability
AC:HAV:LPR:LUI:NScope
S:CImpact
A:NC:HI:H7.5/CVSS:3.1/AC:H/AV:L/A:N/C:H/I:H/PR:L/S:C/UI:N