cvedb.io
CVE-2023-34108
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2023-06-07T18:15:09.817 · Last modified 2026-06-17T06:02:54.707

Summary

mailcow is a mail server suite based on Dovecot, Postfix and other open source software, that provides a modern web UI for user/server administration. A vulnerability has been discovered in mailcow which allows an attacker to manipulate internal Dovecot variables by using specially crafted passwords during the authentication process. The issue arises from the behavior of the `passwd-verify.lua` script, which is responsible for verifying user passwords during login attempts. Upon a successful login, the script returns a response in the format of "password=<valid-password>", indicating the successful authentication. By crafting a password with additional key-value pairs appended to it, an attacker can manipulate the returned string and influence the internal behavior of Dovecot. For example,

Affected products

mailcow — mailcow\

Does this affect you?

Add your gear to cvedb and we'll alert you only when mailcow ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.