CVE-2008-2936

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2008-2936
Postfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 before 2.6-20080814, when the operating system supports hard links to symlinks, allows local users to append e-mail messages to a file to which a root-owned symlink points, by creating a hard link to this symlink and then sending a message. NOTE: this can be leveraged to gain privileges if there is a symlink to an init script.

6.2 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:L/AC:H/Au:N/C:C/I:C/A:C

Exploitability : 1.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity HIGH

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References
Link Resource
ftp://ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-2.6-20080814.HISTORY
ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.3.15.HISTORY
ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.4.8.HISTORY
ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.5.4.HISTORY
http://article.gmane.org/gmane.mail.postfix.announce/110
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00002.html
http://secunia.com/advisories/31469
http://secunia.com/advisories/31474
http://secunia.com/advisories/31477
http://secunia.com/advisories/31485 Vendor Advisory
http://secunia.com/advisories/31500 Vendor Advisory
http://secunia.com/advisories/31530
http://secunia.com/advisories/32231
http://security.gentoo.org/glsa/glsa-200808-12.xml
http://securityreason.com/securityalert/4160
http://wiki.rpath.com/Advisories:rPSA-2008-0259
http://www.debian.org/security/2008/dsa-1629
http://www.kb.cert.org/vuls/id/938323 US Government Resource
http://www.mandriva.com/security/advisories?name=MDVSA-2008:171
http://www.redhat.com/support/errata/RHSA-2008-0839.html
http://www.securityfocus.com/archive/1/495474/100/0/threaded
http://www.securityfocus.com/archive/1/495632/100/0/threaded
http://www.securityfocus.com/archive/1/495882/100/0/threaded
http://www.securityfocus.com/bid/30691 Patch
http://www.securitytracker.com/id?1020700
http://www.vupen.com/english/advisories/2008/2385
https://exchange.xforce.ibmcloud.com/vulnerabilities/44460
https://issues.rpath.com/browse/RPL-2689
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10033
https://usn.ubuntu.com/636-1/
https://www.exploit-db.com/exploits/6337
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00271.html
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00287.html
ftp://ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-2.6-20080814.HISTORY
ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.3.15.HISTORY
ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.4.8.HISTORY
ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.5.4.HISTORY
http://article.gmane.org/gmane.mail.postfix.announce/110
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00002.html
http://secunia.com/advisories/31469
http://secunia.com/advisories/31474
http://secunia.com/advisories/31477
http://secunia.com/advisories/31485 Vendor Advisory
http://secunia.com/advisories/31500 Vendor Advisory
http://secunia.com/advisories/31530
http://secunia.com/advisories/32231
http://security.gentoo.org/glsa/glsa-200808-12.xml
http://securityreason.com/securityalert/4160
http://wiki.rpath.com/Advisories:rPSA-2008-0259
http://www.debian.org/security/2008/dsa-1629
http://www.kb.cert.org/vuls/id/938323 US Government Resource
http://www.mandriva.com/security/advisories?name=MDVSA-2008:171
http://www.redhat.com/support/errata/RHSA-2008-0839.html
http://www.securityfocus.com/archive/1/495474/100/0/threaded
http://www.securityfocus.com/archive/1/495632/100/0/threaded
http://www.securityfocus.com/archive/1/495882/100/0/threaded
http://www.securityfocus.com/bid/30691 Patch
http://www.securitytracker.com/id?1020700
http://www.vupen.com/english/advisories/2008/2385
https://exchange.xforce.ibmcloud.com/vulnerabilities/44460
https://issues.rpath.com/browse/RPL-2689
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10033
https://usn.ubuntu.com/636-1/
https://www.exploit-db.com/exploits/6337
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00271.html
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00287.html
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:postfix:postfix:2.3.0:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.3.2:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.3.4:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.3.5:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.3.6:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.3.7:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.3.8:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.3.9:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.3.10:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.3.11:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.3.12:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.3.13:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.3.14:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.4.3:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.4.4:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.4.5:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.4.6:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.4.7:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.5.2:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.5.3:*:*:*:*:*:*:*
cpe:2.3:a:postfix:postfix:2.6.0:*:*:*:*:*:*:*
History

21 Nov 2024, 00:48

Type Values Removed Values Added
References () ftp://ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-2.6-20080814.HISTORY - () ftp://ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-2.6-20080814.HISTORY -
References () ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.3.15.HISTORY - () ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.3.15.HISTORY -
References () ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.4.8.HISTORY - () ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.4.8.HISTORY -
References () ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.5.4.HISTORY - () ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.5.4.HISTORY -
References () http://article.gmane.org/gmane.mail.postfix.announce/110 - () http://article.gmane.org/gmane.mail.postfix.announce/110 -
References () http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00002.html - () http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00002.html -
References () http://secunia.com/advisories/31469 - () http://secunia.com/advisories/31469 -
References () http://secunia.com/advisories/31474 - () http://secunia.com/advisories/31474 -
References () http://secunia.com/advisories/31477 - () http://secunia.com/advisories/31477 -
References () http://secunia.com/advisories/31485 - Vendor Advisory () http://secunia.com/advisories/31485 - Vendor Advisory
References () http://secunia.com/advisories/31500 - Vendor Advisory () http://secunia.com/advisories/31500 - Vendor Advisory
References () http://secunia.com/advisories/31530 - () http://secunia.com/advisories/31530 -
References () http://secunia.com/advisories/32231 - () http://secunia.com/advisories/32231 -
References () http://security.gentoo.org/glsa/glsa-200808-12.xml - () http://security.gentoo.org/glsa/glsa-200808-12.xml -
References () http://securityreason.com/securityalert/4160 - () http://securityreason.com/securityalert/4160 -
References () http://wiki.rpath.com/Advisories:rPSA-2008-0259 - () http://wiki.rpath.com/Advisories:rPSA-2008-0259 -
References () http://www.debian.org/security/2008/dsa-1629 - () http://www.debian.org/security/2008/dsa-1629 -
References () http://www.kb.cert.org/vuls/id/938323 - US Government Resource () http://www.kb.cert.org/vuls/id/938323 - US Government Resource
References () http://www.mandriva.com/security/advisories?name=MDVSA-2008:171 - () http://www.mandriva.com/security/advisories?name=MDVSA-2008:171 -
References () http://www.redhat.com/support/errata/RHSA-2008-0839.html - () http://www.redhat.com/support/errata/RHSA-2008-0839.html -
References () http://www.securityfocus.com/archive/1/495474/100/0/threaded - () http://www.securityfocus.com/archive/1/495474/100/0/threaded -
References () http://www.securityfocus.com/archive/1/495632/100/0/threaded - () http://www.securityfocus.com/archive/1/495632/100/0/threaded -
References () http://www.securityfocus.com/archive/1/495882/100/0/threaded - () http://www.securityfocus.com/archive/1/495882/100/0/threaded -
References () http://www.securityfocus.com/bid/30691 - Patch () http://www.securityfocus.com/bid/30691 - Patch
References () http://www.securitytracker.com/id?1020700 - () http://www.securitytracker.com/id?1020700 -
References () http://www.vupen.com/english/advisories/2008/2385 - () http://www.vupen.com/english/advisories/2008/2385 -
References () https://exchange.xforce.ibmcloud.com/vulnerabilities/44460 - () https://exchange.xforce.ibmcloud.com/vulnerabilities/44460 -
References () https://issues.rpath.com/browse/RPL-2689 - () https://issues.rpath.com/browse/RPL-2689 -
References () https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10033 - () https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10033 -
References () https://usn.ubuntu.com/636-1/ - () https://usn.ubuntu.com/636-1/ -
References () https://www.exploit-db.com/exploits/6337 - () https://www.exploit-db.com/exploits/6337 -
References () https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00271.html - () https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00271.html -
References () https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00287.html - () https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00287.html -

07 Nov 2023, 02:02

Type Values Removed Values Added
Summary Postfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 before 2.6-20080814, when the operating system supports hard links to symlinks, allows local users to append e-mail messages to a file to which a root-owned symlink points, by creating a hard link to this symlink and then sending a message. NOTE: this can be leveraged to gain privileges if there is a symlink to an init script. Postfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 before 2.6-20080814, when the operating system supports hard links to symlinks, allows local users to append e-mail messages to a file to which a root-owned symlink points, by creating a hard link to this symlink and then sending a message. NOTE: this can be leveraged to gain privileges if there is a symlink to an init script.
Information

Published : 2008-08-18 19:41

Updated : 2024-11-21 00:48

NVD link : CVE-2008-2936

Mitre link : CVE-2008-2936

CVE.ORG link : CVE-2008-2936

JSON object : View

Products Affected

postfix

  • postfix
CWE
CWE-264

Permissions, Privileges, and Access Controls


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024