OXDC-ADV-2025-0001

Metadata

Document type: OX Dovecot Pro Security Advisory
Publisher: Open-Xchange GmbH
Classification: TLP:GREEN
Publication Date: 2025-10-31
Current version: 5
Version status: Final
Aggregate severity: High

References

Vulnerabilities

CVE-2025-30189: v2.4 regression: auth cache broken with several passdb / userdb

CVE reference: CVE-2025-30189open in new window
Internal reference: DOV-7830
CWE: CWE-1250 (Improper Preservation of Consistency Between Independent Representations of Shared State)
Discovery date: 2025-07-25
Researcher credits: Erik <erik@broadlux.com>

Description

When cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to be used for these users.

Product status

Last affected

Products	CVSS-Vector	CVSS Base Score
OX Dovecot Pro core 2.4.0	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N	7.4

Threats

Impact

After cached login, all subsequent logins are for same user.

Exploit status

No publicly available exploits are known.

Remediation

Vendor fix (2025-10-29)

For products

OX Dovecot Pro core 2.4.2

Install fixed version or disable caching either globally or for the impacted passdb/userdb drivers.

# OXDC-ADV-2025-0001

# Metadata

# References

# Vulnerabilities

# CVE-2025-30189: v2.4 regression: auth cache broken with several passdb / userdb

# Description

# Product status

# Last affected

# Threats

# Impact

# Exploit status

# Remediation

# Vendor fix (2025-10-29)

# For products