Vulnerability Details CVE-2020-3812
qmail-verify as used in netqmail 1.06 is prone to an information disclosure vulnerability. A local attacker can test for the existence of files and directories anywhere in the filesystem because qmail-verify runs as root and tests for the existence of files in the attacker's home directory, without dropping its privileges first.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 14.1%
CVSS Severity
CVSS v3 Score 5.5
CVSS v2 Score 2.1
References
- https://bugs.debian.org/961060
- https://lists.debian.org/debian-lts-announce/2020/06/msg00002.html
- https://usn.ubuntu.com/4556-1/
- https://www.debian.org/security/2020/dsa-4692
- https://www.openwall.com/lists/oss-security/2020/05/19/8
- https://bugs.debian.org/961060
- https://lists.debian.org/debian-lts-announce/2020/06/msg00002.html
- https://usn.ubuntu.com/4556-1/
- https://www.debian.org/security/2020/dsa-4692
- https://www.openwall.com/lists/oss-security/2020/05/19/8
Products affected by CVE-2020-3812
-
cpe:2.3:a:netqmail:netqmail:1.06
-
cpe:2.3:o:canonical:ubuntu_linux:20.04
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:debian:debian_linux:9.0