Vulnerability Details CVE-2009-3897
Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 24.3%
CVSS Severity
CVSS v3 Score 5.5
CVSS v2 Score 4.6
References
- http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html
- http://marc.info/?l=oss-security&m=125871729029145&w=2
- http://marc.info/?l=oss-security&m=125881481222441&w=2
- http://marc.info/?l=oss-security&m=125900267208712&w=2
- http://marc.info/?l=oss-security&m=125900271508796&w=2
- http://secunia.com/advisories/37443
- http://www.dovecot.org/list/dovecot-news/2009-November/000143.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:306
- http://www.osvdb.org/60316
- http://www.securityfocus.com/bid/37084
- http://www.vupen.com/english/advisories/2009/3306
- https://exchange.xforce.ibmcloud.com/vulnerabilities/54363
- http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html
- http://marc.info/?l=oss-security&m=125871729029145&w=2
- http://marc.info/?l=oss-security&m=125881481222441&w=2
- http://marc.info/?l=oss-security&m=125900267208712&w=2
- http://marc.info/?l=oss-security&m=125900271508796&w=2
- http://secunia.com/advisories/37443
- http://www.dovecot.org/list/dovecot-news/2009-November/000143.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:306
- http://www.osvdb.org/60316
- http://www.securityfocus.com/bid/37084
- http://www.vupen.com/english/advisories/2009/3306
- https://exchange.xforce.ibmcloud.com/vulnerabilities/54363
Products affected by CVE-2009-3897
-
cpe:2.3:a:dovecot:dovecot:1.2.0
-
cpe:2.3:a:dovecot:dovecot:1.2.1
-
cpe:2.3:a:dovecot:dovecot:1.2.2
-
cpe:2.3:a:dovecot:dovecot:1.2.3
-
cpe:2.3:a:dovecot:dovecot:1.2.4
-
cpe:2.3:a:dovecot:dovecot:1.2.5
-
cpe:2.3:a:dovecot:dovecot:1.2.6
-
cpe:2.3:a:dovecot:dovecot:1.2.7