CVE-2008-1199

Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.

CVSS v2.0 4.4 MEDIUM

4.4^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:L/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 3.4 / Impact : 6.4

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html
http://secunia.com/advisories/29226
http://secunia.com/advisories/29385
http://secunia.com/advisories/29396
http://secunia.com/advisories/29557
http://secunia.com/advisories/30342
http://secunia.com/advisories/32151
http://security.gentoo.org/glsa/glsa-200803-25.xml
http://www.debian.org/security/2008/dsa-1516
http://www.dovecot.org/list/dovecot-news/2008-March/000061.html	Patch
http://www.redhat.com/support/errata/RHSA-2008-0297.html
http://www.securityfocus.com/archive/1/489133/100/0/threaded
http://www.securityfocus.com/bid/28092	Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/41009
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739
https://usn.ubuntu.com/593-1/
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html
http://secunia.com/advisories/29226
http://secunia.com/advisories/29385
http://secunia.com/advisories/29396
http://secunia.com/advisories/29557
http://secunia.com/advisories/30342
http://secunia.com/advisories/32151
http://security.gentoo.org/glsa/glsa-200803-25.xml
http://www.debian.org/security/2008/dsa-1516
http://www.dovecot.org/list/dovecot-news/2008-March/000061.html	Patch
http://www.redhat.com/support/errata/RHSA-2008-0297.html
http://www.securityfocus.com/archive/1/489133/100/0/threaded
http://www.securityfocus.com/bid/28092	Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/41009
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739
https://usn.ubuntu.com/593-1/
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dovecot:dovecot:0.99.13:::::::*
	cpe:2.3:a:dovecot:dovecot:0.99.14:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.2:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.3:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.4:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.5:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.6:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.7:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.8:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.9:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.10:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.beta2:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.beta3:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.beta7:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.beta8:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.rc1:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.rc2:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.rc3:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.rc4:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.rc5:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.rc6:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.rc7:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.rc8:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.rc9:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.rc10:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.rc11:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.rc12:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.rc13:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.rc14:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.rc15:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0_rc29:::::::*

History

21 Nov 2024, 00:43

Information

Published : 2008-03-06 21:44

Updated : 2025-04-09 00:30

NVD link : CVE-2008-1199

Mitre link : CVE-2008-1199

CVE.ORG link : CVE-2008-1199

JSON object : View

Products Affected

dovecot

dovecot

CWE

CWE-16

Configuration

CWE-59

Improper Link Resolution Before File Access ('Link Following')

{"id": "CVE-2008-1199", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.4, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2008-03-06T21:44:00.000", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/29226", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/29385", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/29396", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/29557", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/30342", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/32151", "source": "cve@mitre.org"}, {"url": "http://security.gentoo.org/glsa/glsa-200803-25.xml", "source": "cve@mitre.org"}, {"url": "http://www.debian.org/security/2008/dsa-1516", "source": "cve@mitre.org"}, {"url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/28092", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009", "source": "cve@mitre.org"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739", "source": "cve@mitre.org"}, {"url": "https://usn.ubuntu.com/593-1/", "source": "cve@mitre.org"}, {"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html", "source": "cve@mitre.org"}, {"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html", "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/29226", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/29385", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/29396", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/29557", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/30342", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/32151", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://security.gentoo.org/glsa/glsa-200803-25.xml", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.debian.org/security/2008/dsa-1516", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/28092", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://usn.ubuntu.com/593-1/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-16"}, {"lang": "en", "value": "CWE-59"}]}], "descriptions": [{"lang": "en", "value": "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack."}, {"lang": "es", "value": "Dovecot antes de 1.0.11, cuando se configura para utilizar mail_extra_groups para permitir a Dovecot crear dotlocks en /var/mail, podr\u00eda permitir a usuarios locales leer archivos de mail sensibles para otros usuarios, o modificar archivos o directorios que sean escribibles por el grupo, a trav\u00e9s de un ataque de enlaces simb\u00f3licos."}], "lastModified": "2025-04-09T00:30:58.490", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dovecot:dovecot:0.99.13:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D0616CCF-D278-4B6D-A58B-393BCA128CF1"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:0.99.14:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D3C7BE64-7C1E-4043-A1C5-D0A7377C01A7"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4240BD98-3C31-42CE-AF8F-045DD4BFC084"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C05ACA0-ED87-4DDF-94B6-8D25BE1790F1"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A8C0C4A-F9DB-4BB7-BFC5-BEC22C3FE40B"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B7E00B56-A1E5-4261-8349-37654AA9FB64"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E66427AA-A9D4-413F-8354-EA61407307C1"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D74BE6C7-114D-4885-8472-FFE71C817B8A"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A349510-4D00-4978-93D9-3F9F5E0CD8DE"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B65B9EFD-1531-463C-992E-F0F16AABF9C3"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "34BA7146-5793-44F4-9569-9D868FE6E325"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5078363-6B42-491B-A219-F8D8A86132BF"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9D680474-C329-4DD0-B4EA-2406E27EC474"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "165A0D0B-C6B0-431F-BF36-223A27CD6A42"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "99268D48-CF82-450B-A033-D87AF4109531"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B2E09737-8107-45C0-BFF1-FB4CF81564CD"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "91E74D81-DF10-423A-8549-3BB5ED02B5A6"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07D6853E-7E81-443D-8806-C8469217F55C"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D1BE4B6A-47A2-457B-B6B8-8FE5C2026A11"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7382F655-9B27-443D-9397-346FBEADEFDA"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6F180045-A0DA-40A3-AD3E-F3402FB6456A"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C1A2FFE7-D008-47B4-80E7-AEC176918E06"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C840337-7B31-476B-BBCD-65F4899925E6"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "545EF2F5-9BAE-4612-9958-70A5413818A6"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E80096F8-46D9-42E3-8CDB-99ADA2CBD970"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9E504866-3429-4A4C-8278-5C2753D356C7"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc11:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "30857130-636F-4719-9F1E-8F6369F40DAC"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc12:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9843D7CE-4723-4200-AFD4-5B31545A287E"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc13:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "54AF1D92-D89B-4DE4-9D47-72466873A4C7"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc14:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "64A8FCA5-1666-48F7-9689-37D9315813F7"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc15:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D4D517F3-F0A8-4362-89B9-0ED63515283F"}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0_rc29:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3AAE9E7C-49CC-48C3-B47C-CDC5802356A7"}], "operator": "OR"}]}], "vendorComments": [{"comment": "Red Hat is aware of this issue and is tracking it via the following bug:\nhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1199\n\nThis issue does not affect the default configuration of Dovecot as shipped in Red Hat Enterprise Linux.\n\nThe Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. \n\nAn update to Red Hat Enterprise Linux 5 was released to correct this issue:\nhttps://rhn.redhat.com/errata/RHSA-2008-0297.html\n", "lastModified": "2008-05-21T00:00:00", "organization": "Red Hat"}], "sourceIdentifier": "cve@mitre.org"}

4.4 /10