| ID |
CVE-2008-1218
|
| Summary |
Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass the password check via a password containing TAB characters, which are treated as argument delimiters that enable the skip_password_check field to be specified. |
| References |
|
| Vulnerable Configurations |
|
| CVSS |
| Base: | 6.8 (as of 11-10-2018 - 20:30) |
| Impact: | |
| Exploitability: | |
|
| CWE |
CWE-255 |
| CAPEC |
|
| Access |
| Vector | Complexity | Authentication |
| NETWORK |
MEDIUM |
NONE |
|
| Impact |
| Confidentiality | Integrity | Availability |
| PARTIAL |
PARTIAL |
PARTIAL |
|
| cvss-vector
via4
|
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
| refmap
via4
|
| bid | 28181 | | bugtraq | 20080312 rPSA-2008-0108-1 dovecot | | confirm | https://issues.rpath.com/browse/RPL-2341 | | debian | DSA-1516 | | exploit-db | 5257 | | fedora | - FEDORA-2008-2464
- FEDORA-2008-2475
| | gentoo | GLSA-200803-25 | | misc | http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108 | | mlist | - [Dovecot-news] 20080309 Security hole #6: Some passdbs allowed users to log in without a valid password
- [Dovecot-news] 20080309 v1.0.13 and v1.1.rc3 released
| | secunia | - 29226
- 29295
- 29364
- 29385
- 29396
- 29557
- 32151
| | suse | SUSE-SR:2008:020 | | ubuntu | USN-593-1 | | xf | dovecot-tab-authentication-bypass(41085) |
|
| statements
via4
|
| contributor | Joshua Bressers | | lastmodified | 2008-03-12 | | organization | Red Hat | | statement | Not vulnerable. This issue did not affect versions of Dovecot as shipped with Red Hat Enterprise Linux 4 or 5. |
|
| Last major update |
11-10-2018 - 20:30 |
| Published |
10-03-2008 - 23:44 |
| Last modified |
11-10-2018 - 20:30 |
