CVE-2022-30550

Name: CVE-2022-30550
Creator: NVD / NIST
Published: 2022-07-17T19:15:18.54+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10EPSS 1.75%

Last modified Jun 17, 2026

CVE-2022-30550 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. EPSS estimates a 1.75% chance of exploitation in the next 30 days.

Description

An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.75%

75.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-287

Affected Software

Vendor	Product	Versions
Dovecot	Dovecot	>= 2.3, < 2.4.0
Dovecot	Dovecot	2.2
Debian	Debian Linux	10.0

References

https://dovecot.org/securityVendor Advisory
https://lists.debian.org/debian-lts-announce/2022/09/msg00032.htmlMailing List, Third Party Advisory
https://security.gentoo.org/glsa/202310-19Third Party Advisory
https://www.dovecot.org/download/Product
https://www.openwall.com/lists/oss-security/2022/07/08/1Mailing List, Patch, Third Party Advisory
https://dovecot.org/securityVendor Advisory
https://lists.debian.org/debian-lts-announce/2022/09/msg00032.htmlMailing List, Third Party Advisory
https://security.gentoo.org/glsa/202310-19Third Party Advisory
https://www.dovecot.org/download/Product
https://www.openwall.com/lists/oss-security/2022/07/08/1Mailing List, Patch, Third Party Advisory

Timeline

Published: Jul 17, 2022
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2022-30550?

How severe is CVE-2022-30550?

CVE-2022-30550 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 1.75% probability of exploitation in the next 30 days.

How do I fix CVE-2022-30550?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-30550?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST