-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

cPanel Unscheduled TSR-2020-0005 Full Disclosure

CPANEL-34212

Summary

Live Transfer causes email accounts to not require a password on the source server.

Security Rating

cPanel has assigned this vulnerability a CVSSv3 score of 5.6 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

Previously, when Exim asked for authentication data, cpdoveauthd would send Exim the response for proxying without a password.
Since Exim ignores “proxy_maybe”, that caused Exim to forgo SMTP authentication in those cases.

Solution

This issue is resolved in the following build:
11.90.0.13
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAl97bkYUHHNlY3VyaXR5
QGNwYW5lbC5uZXQACgkQlSG+3KvZTd9y0g//R310yVCM8pEyTIRTZSCUP94f7Uee
KYSTTRbqiS6syv8qLSOqi27QAIIJ7bcCbKN1Ou+6ZDJjIrwwsdgJW4eKdQ9VXyKd
5EWEsYuqOM55TyUFXkRP7l0o2hO4LvXhDLYBgo0Dj7A1HtSFp4uPGxX6+mOsku8H
4107dWqAIloyLiX8ddXb9hJ/MGPjYWTzeFWivjRXuhDkJrMvt1pc+sZ0dlRLHcju
bDuMzy4JWaAKQVu93qfCASI4z21cUH/vIAwH+f8tnvhnOQf5OD7pD7yh5qXSDrHf
gniL7ycoI5y9SLTnjsK0lbKXbZ7jFFyrASyw2i8yPhoViOrqae0flAMhhc6UsYMs
nwGpf0ZHBrgMZKMpqbpR0Hc1CrwgRIfLlUpZqJuIHdee2onLhZIcumDFswIGWk8U
TcTiZuYPuAJEFEmpXlPa6m0JwQdSwiRPhTWHICNcpCFnDPYL5EJkb1smpSiQLVmc
L7e6z08ZtX0Fw6WV0zSjmN4bWICSO1ilpUwc9tN8FpHpCLcwYJIP64NcreQnnEL0
/lzolTDhiXBI5+J8Tack3XjPz4N1XZeWHXi+qQ3vSs1eYWIS/OBzjaSIxoXSll+U
thr9MaGm4z2N3b2tT6KJr0wPDCTPsxGGQIZFavo/rbTE+edJSLVeWc0Vp/1P9GfQ
R140tIfH+2NpVMs=
=MxXL
-----END PGP SIGNATURE-----