1. CVE-Search
  2. CVE-2008-4577
ID CVE-2008-4577
Summary The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
References
Vulnerable Configurations
  • cpe:2.3:a:dovecot:dovecot:-:*:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:-:*:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:alpha1:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:alpha2:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:alpha2:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:alpha4:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:alpha4:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:alpha5:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:alpha5:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:alpha6:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:alpha6:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:beta10:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:beta10:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:beta11:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:beta11:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:beta12:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:beta12:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:beta13:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:beta13:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:beta14:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:beta14:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:beta16:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:beta16:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:beta4:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:beta4:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:beta5:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:beta5:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:beta6:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:beta6:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:beta8:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:beta8:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:beta9:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:beta9:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:rc5:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:rc5:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:rc6:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:rc6:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:rc7:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:rc7:*:*:*:*:*:*
  • cpe:2.3:a:dovecot:dovecot:1.1.0:rc8:*:*:*:*:*:*
    cpe:2.3:a:dovecot:dovecot:1.1.0:rc8:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:opensuse:10.3-11.1:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:opensuse:10.3-11.1:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
CVSS
Base: 6.4 (as of 21-01-2024 - 02:46)
Impact:
Exploitability:
CWE CWE-863
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:N
oval via4
accepted 2013-04-29T04:05:08.663-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
family unix
id oval:org.mitre.oval:def:10376
status accepted
submitted 2010-07-09T03:56:16-04:00
title The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
version 19
redhat via4
advisories
rhsa
id RHSA-2009:0205
rpms
  • dovecot-0:1.0.7-7.el5
  • dovecot-debuginfo-0:1.0.7-7.el5
refmap via4
bid 31587
confirm http://bugs.gentoo.org/show_bug.cgi?id=240409
fedora
  • FEDORA-2008-9202
  • FEDORA-2008-9232
gentoo GLSA-200812-16
mandriva MDVSA-2008:232
mlist [Dovecot-news] 20081005 v1.1.4 released
secunia
  • 32164
  • 32471
  • 33149
  • 33624
  • 36904
suse SUSE-SR:2009:004
ubuntu USN-838-1
vupen ADV-2008-2745
Last major update 21-01-2024 - 02:46
Published 15-10-2008 - 20:08
Last modified 21-01-2024 - 02:46
Back to Top