Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2009-3897

Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.

Published

2009-11-24T17:30:00.407

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv3.1: 5.5 (MEDIUM)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:P/I:P/A:P

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

3.9

Impact Score

6.4

Weaknesses

Type: Primary
CWE-732

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	dovecot	dovecot	< 1.2.8	Yes

References

http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html Mailing List ([email protected])
http://marc.info/?l=oss-security&m=125871729029145&w=2 Mailing List, Patch ([email protected])
http://marc.info/?l=oss-security&m=125881481222441&w=2 Mailing List ([email protected])
http://marc.info/?l=oss-security&m=125900267208712&w=2 Mailing List, Patch ([email protected])
http://marc.info/?l=oss-security&m=125900271508796&w=2 Mailing List ([email protected])
http://secunia.com/advisories/37443 Broken Link, Vendor Advisory ([email protected])
http://www.dovecot.org/list/dovecot-news/2009-November/000143.html Mailing List, Patch, Vendor Advisory ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2009:306 Not Applicable ([email protected])
http://www.osvdb.org/60316 Broken Link ([email protected])
http://www.securityfocus.com/bid/37084 Broken Link, Patch, Third Party Advisory, VDB Entry ([email protected])
http://www.vupen.com/english/advisories/2009/3306 Patch, Permissions Required, Vendor Advisory ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/54363 Third Party Advisory, VDB Entry ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=oss-security&m=125871729029145&w=2 Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=oss-security&m=125881481222441&w=2 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=oss-security&m=125900267208712&w=2 Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=oss-security&m=125900271508796&w=2 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/37443 Broken Link, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.dovecot.org/list/dovecot-news/2009-November/000143.html Mailing List, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2009:306 Not Applicable (af854a3a-2127-422b-91ae-364da2661108)
http://www.osvdb.org/60316 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/37084 Broken Link, Patch, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2009/3306 Patch, Permissions Required, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/54363 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)