Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.
References
Link | Resource |
---|---|
http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html | Mailing List |
http://marc.info/?l=oss-security&m=125871729029145&w=2 | Mailing List Patch |
http://marc.info/?l=oss-security&m=125881481222441&w=2 | Mailing List |
http://marc.info/?l=oss-security&m=125900267208712&w=2 | Mailing List Patch |
http://marc.info/?l=oss-security&m=125900271508796&w=2 | Mailing List |
http://secunia.com/advisories/37443 | Broken Link Vendor Advisory |
http://www.dovecot.org/list/dovecot-news/2009-November/000143.html | Mailing List Patch Vendor Advisory |
http://www.mandriva.com/security/advisories?name=MDVSA-2009:306 | Not Applicable |
http://www.osvdb.org/60316 | Broken Link |
http://www.securityfocus.com/bid/37084 | Broken Link Patch Third Party Advisory VDB Entry |
http://www.vupen.com/english/advisories/2009/3306 | Patch Permissions Required Vendor Advisory |
https://exchange.xforce.ibmcloud.com/vulnerabilities/54363 | Third Party Advisory VDB Entry |
Configurations
History
08 Feb 2024, 15:21
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-732 | |
CPE | cpe:2.3:a:dovecot:dovecot:1.2.0:*:*:*:*:*:*:* cpe:2.3:a:dovecot:dovecot:1.2.3:*:*:*:*:*:*:* cpe:2.3:a:dovecot:dovecot:1.2.1:*:*:*:*:*:*:* cpe:2.3:a:dovecot:dovecot:1.2.6:*:*:*:*:*:*:* cpe:2.3:a:dovecot:dovecot:1.2.7:*:*:*:*:*:*:* cpe:2.3:a:dovecot:dovecot:1.2.4:*:*:*:*:*:*:* cpe:2.3:a:dovecot:dovecot:1.2.5:*:*:*:*:*:*:* |
cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:* |
CVSS |
v2 : v3 : |
v2 : 4.6
v3 : 5.5 |
References | (VUPEN) http://www.vupen.com/english/advisories/2009/3306 - Patch, Permissions Required, Vendor Advisory | |
References | (SUSE) http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html - Mailing List | |
References | (MLIST) http://marc.info/?l=oss-security&m=125881481222441&w=2 - Mailing List | |
References | (MLIST) http://marc.info/?l=oss-security&m=125871729029145&w=2 - Mailing List, Patch | |
References | (MLIST) http://marc.info/?l=oss-security&m=125900267208712&w=2 - Mailing List, Patch | |
References | (XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/54363 - Third Party Advisory, VDB Entry | |
References | (MANDRIVA) http://www.mandriva.com/security/advisories?name=MDVSA-2009:306 - Not Applicable | |
References | (OSVDB) http://www.osvdb.org/60316 - Broken Link | |
References | (MLIST) http://www.dovecot.org/list/dovecot-news/2009-November/000143.html - Mailing List, Patch, Vendor Advisory | |
References | (BID) http://www.securityfocus.com/bid/37084 - Broken Link, Patch, Third Party Advisory, VDB Entry | |
References | (SECUNIA) http://secunia.com/advisories/37443 - Broken Link, Vendor Advisory | |
References | (MLIST) http://marc.info/?l=oss-security&m=125900271508796&w=2 - Mailing List |
Information
Published : 2009-11-24 17:30
Updated : 2024-02-28 11:21
NVD link : CVE-2009-3897
Mitre link : CVE-2009-3897
CVE.ORG link : CVE-2009-3897
JSON object : View
Products Affected
dovecot
- dovecot
CWE
CWE-732
Incorrect Permission Assignment for Critical Resource