Vulnerability-Lookup

CVE-2008-4577 (GCVE-0-2008-4577)

Vulnerability from cvelistv5 – Published: 2008-10-15 20:00 – Updated: 2024-08-07 10:24

Summary

The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

Tags

	http://secunia.com/advisories/32164	third-party-advisoryx_refsource_SECUNIA
	http://secunia.com/advisories/32471	third-party-advisoryx_refsource_SECUNIA
	http://secunia.com/advisories/33149	third-party-advisoryx_refsource_SECUNIA
	http://www.vupen.com/english/advisories/2008/2745	vdb-entryx_refsource_VUPEN
	https://www.redhat.com/archives/fedora-package-an…	vendor-advisoryx_refsource_FEDORA
	https://oval.cisecurity.org/repository/search/def…	vdb-entrysignaturex_refsource_OVAL
	http://www.securityfocus.com/bid/31587	vdb-entryx_refsource_BID
	https://www.redhat.com/archives/fedora-package-an…	vendor-advisoryx_refsource_FEDORA
	http://www.mandriva.com/security/advisories?name=…	vendor-advisoryx_refsource_MANDRIVA
	http://www.ubuntu.com/usn/USN-838-1	vendor-advisoryx_refsource_UBUNTU
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	http://security.gentoo.org/glsa/glsa-200812-16.xml	vendor-advisoryx_refsource_GENTOO
	http://bugs.gentoo.org/show_bug.cgi?id=240409	x_refsource_CONFIRM
	http://www.redhat.com/support/errata/RHSA-2009-02…	vendor-advisoryx_refsource_REDHAT
	http://secunia.com/advisories/33624	third-party-advisoryx_refsource_SECUNIA
	http://www.dovecot.org/list/dovecot-news/2008-Oct…	mailing-listx_refsource_MLIST
	http://secunia.com/advisories/36904	third-party-advisoryx_refsource_SECUNIA

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T10:24:20.877Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "32164",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/32164"
          },
          {
            "name": "32471",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/32471"
          },
          {
            "name": "33149",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/33149"
          },
          {
            "name": "ADV-2008-2745",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2008/2745"
          },
          {
            "name": "FEDORA-2008-9202",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html"
          },
          {
            "name": "oval:org.mitre.oval:def:10376",
            "tags": [
              "vdb-entry",
              "signature",
              "x_refsource_OVAL",
              "x_transferred"
            ],
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376"
          },
          {
            "name": "31587",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/31587"
          },
          {
            "name": "FEDORA-2008-9232",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html"
          },
          {
            "name": "MDVSA-2008:232",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232"
          },
          {
            "name": "USN-838-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-838-1"
          },
          {
            "name": "SUSE-SR:2009:004",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
          },
          {
            "name": "GLSA-200812-16",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://bugs.gentoo.org/show_bug.cgi?id=240409"
          },
          {
            "name": "RHSA-2009:0205",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
          },
          {
            "name": "33624",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/33624"
          },
          {
            "name": "[Dovecot-news] 20081005 v1.1.4 released",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html"
          },
          {
            "name": "36904",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/36904"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2008-10-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-28T12:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "32164",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/32164"
        },
        {
          "name": "32471",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/32471"
        },
        {
          "name": "33149",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/33149"
        },
        {
          "name": "ADV-2008-2745",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2008/2745"
        },
        {
          "name": "FEDORA-2008-9202",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html"
        },
        {
          "name": "oval:org.mitre.oval:def:10376",
          "tags": [
            "vdb-entry",
            "signature",
            "x_refsource_OVAL"
          ],
          "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376"
        },
        {
          "name": "31587",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/31587"
        },
        {
          "name": "FEDORA-2008-9232",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html"
        },
        {
          "name": "MDVSA-2008:232",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232"
        },
        {
          "name": "USN-838-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-838-1"
        },
        {
          "name": "SUSE-SR:2009:004",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
        },
        {
          "name": "GLSA-200812-16",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://bugs.gentoo.org/show_bug.cgi?id=240409"
        },
        {
          "name": "RHSA-2009:0205",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
        },
        {
          "name": "33624",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/33624"
        },
        {
          "name": "[Dovecot-news] 20081005 v1.1.4 released",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html"
        },
        {
          "name": "36904",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/36904"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2008-4577",
    "datePublished": "2008-10-15T20:00:00",
    "dateReserved": "2008-10-15T00:00:00",
    "dateUpdated": "2024-08-07T10:24:20.877Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.1.4\", \"matchCriteriaId\": \"B084417D-FA5E-45DE-AA03-3932D9292B30\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"72E4DB7F-07C3-46BB-AAA2-05CD0312C57F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"743CBBB1-C140-4FEF-B40E-FAE4511B1140\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:opensuse:opensuse:10.3-11.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F7018930-D354-4B31-870E-D0E3CE19C8B5\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*\", \"matchCriteriaId\": \"7EBFE35C-E243-43D1-883D-4398D71763CC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4747CC68-FAF4-482F-929A-9DA6C24CB663\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A5D026D0-EF78-438D-BEDD-FC8571F3ACEB\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.\"}, {\"lang\": \"es\", \"value\": \"El plugin ACL en Dovecot anterior a 1.1.4 amenaza los derechos del acceso negativo como si fueran derechos de acceso positivos, lo que permite a atacantes evitar las restricciones de acceso previstas.\"}]",
      "id": "CVE-2008-4577",
      "lastModified": "2024-11-21T00:52:00.953",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:N\", \"baseScore\": 6.4, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2008-10-15T20:08:02.670",
      "references": "[{\"url\": \"http://bugs.gentoo.org/show_bug.cgi?id=240409\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\"]}, {\"url\": \"http://secunia.com/advisories/32164\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Broken Link\", \"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/32471\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://secunia.com/advisories/33149\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://secunia.com/advisories/33624\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://secunia.com/advisories/36904\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://security.gentoo.org/glsa/glsa-200812-16.xml\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.dovecot.org/list/dovecot-news/2008-October/000085.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Release Notes\"]}, {\"url\": \"http://www.mandriva.com/security/advisories?name=MDVSA-2008:232\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://www.redhat.com/support/errata/RHSA-2009-0205.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://www.securityfocus.com/bid/31587\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Broken Link\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.ubuntu.com/usn/USN-838-1\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.vupen.com/english/advisories/2008/2745\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\"]}, {\"url\": \"https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\"]}, {\"url\": \"http://bugs.gentoo.org/show_bug.cgi?id=240409\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\"]}, {\"url\": \"http://secunia.com/advisories/32164\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\", \"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/32471\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://secunia.com/advisories/33149\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://secunia.com/advisories/33624\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://secunia.com/advisories/36904\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://security.gentoo.org/glsa/glsa-200812-16.xml\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.dovecot.org/list/dovecot-news/2008-October/000085.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Release Notes\"]}, {\"url\": \"http://www.mandriva.com/security/advisories?name=MDVSA-2008:232\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://www.redhat.com/support/errata/RHSA-2009-0205.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://www.securityfocus.com/bid/31587\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.ubuntu.com/usn/USN-838-1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.vupen.com/english/advisories/2008/2745\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\"]}, {\"url\": \"https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\"]}]",
      "sourceIdentifier": "secalert@redhat.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-863\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2008-4577\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2008-10-15T20:08:02.670\",\"lastModified\":\"2025-04-09T00:30:58.490\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.\"},{\"lang\":\"es\",\"value\":\"El plugin ACL en Dovecot anterior a 1.1.4 amenaza los derechos del acceso negativo como si fueran derechos de acceso positivos, lo que permite a atacantes evitar las restricciones de acceso previstas.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.1.4\",\"matchCriteriaId\":\"B084417D-FA5E-45DE-AA03-3932D9292B30\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"72E4DB7F-07C3-46BB-AAA2-05CD0312C57F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"743CBBB1-C140-4FEF-B40E-FAE4511B1140\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:opensuse:10.3-11.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F7018930-D354-4B31-870E-D0E3CE19C8B5\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*\",\"matchCriteriaId\":\"7EBFE35C-E243-43D1-883D-4398D71763CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4747CC68-FAF4-482F-929A-9DA6C24CB663\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A5D026D0-EF78-438D-BEDD-FC8571F3ACEB\"}]}]}],\"references\":[{\"url\":\"http://bugs.gentoo.org/show_bug.cgi?id=240409\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"http://secunia.com/advisories/32164\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\",\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/32471\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/33149\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/33624\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/36904\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://security.gentoo.org/glsa/glsa-200812-16.xml\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.dovecot.org/list/dovecot-news/2008-October/000085.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Release Notes\"]},{\"url\":\"http://www.mandriva.com/security/advisories?name=MDVSA-2008:232\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2009-0205.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.securityfocus.com/bid/31587\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.ubuntu.com/usn/USN-838-1\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.vupen.com/english/advisories/2008/2745\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"http://bugs.gentoo.org/show_bug.cgi?id=240409\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"http://secunia.com/advisories/32164\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/32471\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/33149\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/33624\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/36904\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://security.gentoo.org/glsa/glsa-200812-16.xml\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.dovecot.org/list/dovecot-news/2008-October/000085.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Release Notes\"]},{\"url\":\"http://www.mandriva.com/security/advisories?name=MDVSA-2008:232\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2009-0205.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.securityfocus.com/bid/31587\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.ubuntu.com/usn/USN-838-1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.vupen.com/english/advisories/2008/2745\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]}]}}"
  }
}

GHSA-24JQ-H48J-G592

Vulnerability from github – Published: 2022-05-02 00:11 – Updated: 2024-01-21 03:30

Details

The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2008-4577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-10-15T20:08:00Z",
    "severity": "MODERATE"
  },
  "details": "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.",
  "id": "GHSA-24jq-h48j-g592",
  "modified": "2024-01-21T03:30:23Z",
  "published": "2022-05-02T00:11:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4577"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html"
    },
    {
      "type": "WEB",
      "url": "http://bugs.gentoo.org/show_bug.cgi?id=240409"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32164"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32471"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/33149"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/33624"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/36904"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/31587"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-838-1"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/2745"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2008-4577

Vulnerability from fkie_nvd - Published: 2008-10-15 20:08 - Updated: 2025-04-09 00:30

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.

References

URL	Tags
secalert@redhat.com	http://bugs.gentoo.org/show_bug.cgi?id=240409	Issue Tracking
secalert@redhat.com	http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html	Mailing List
secalert@redhat.com	http://secunia.com/advisories/32164	Broken Link, Vendor Advisory
secalert@redhat.com	http://secunia.com/advisories/32471	Broken Link
secalert@redhat.com	http://secunia.com/advisories/33149	Broken Link
secalert@redhat.com	http://secunia.com/advisories/33624	Broken Link
secalert@redhat.com	http://secunia.com/advisories/36904	Broken Link
secalert@redhat.com	http://security.gentoo.org/glsa/glsa-200812-16.xml	Third Party Advisory
secalert@redhat.com	http://www.dovecot.org/list/dovecot-news/2008-October/000085.html	Mailing List, Release Notes
secalert@redhat.com	http://www.mandriva.com/security/advisories?name=MDVSA-2008:232	Broken Link
secalert@redhat.com	http://www.redhat.com/support/errata/RHSA-2009-0205.html	Broken Link
secalert@redhat.com	http://www.securityfocus.com/bid/31587	Broken Link, Third Party Advisory, VDB Entry
secalert@redhat.com	http://www.ubuntu.com/usn/USN-838-1	Third Party Advisory
secalert@redhat.com	http://www.vupen.com/english/advisories/2008/2745	Permissions Required
secalert@redhat.com	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376	Broken Link
secalert@redhat.com	https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html	Mailing List
secalert@redhat.com	https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html	Mailing List
af854a3a-2127-422b-91ae-364da2661108	http://bugs.gentoo.org/show_bug.cgi?id=240409	Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html	Mailing List
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/32164	Broken Link, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/32471	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/33149	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/33624	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/36904	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://security.gentoo.org/glsa/glsa-200812-16.xml	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.dovecot.org/list/dovecot-news/2008-October/000085.html	Mailing List, Release Notes
af854a3a-2127-422b-91ae-364da2661108	http://www.mandriva.com/security/advisories?name=MDVSA-2008:232	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2009-0205.html	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/31587	Broken Link, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.ubuntu.com/usn/USN-838-1	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2008/2745	Permissions Required
af854a3a-2127-422b-91ae-364da2661108	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html	Mailing List
af854a3a-2127-422b-91ae-364da2661108	https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html	Mailing List

Impacted products

Vendor	Product	Version
dovecot	dovecot	*
fedoraproject	fedora	8
fedoraproject	fedora	9
opensuse	opensuse	10.3-11.1
canonical	ubuntu_linux	8.04
canonical	ubuntu_linux	8.10
canonical	ubuntu_linux	9.04

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B084417D-FA5E-45DE-AA03-3932D9292B30",
              "versionEndExcluding": "1.1.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*",
              "matchCriteriaId": "72E4DB7F-07C3-46BB-AAA2-05CD0312C57F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*",
              "matchCriteriaId": "743CBBB1-C140-4FEF-B40E-FAE4511B1140",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:opensuse:opensuse:10.3-11.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F7018930-D354-4B31-870E-D0E3CE19C8B5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*",
              "matchCriteriaId": "7EBFE35C-E243-43D1-883D-4398D71763CC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "4747CC68-FAF4-482F-929A-9DA6C24CB663",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*",
              "matchCriteriaId": "A5D026D0-EF78-438D-BEDD-FC8571F3ACEB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions."
    },
    {
      "lang": "es",
      "value": "El plugin ACL en Dovecot anterior a 1.1.4 amenaza los derechos del acceso negativo como si fueran derechos de acceso positivos, lo que permite a atacantes evitar las restricciones de acceso previstas."
    }
  ],
  "id": "CVE-2008-4577",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 6.4,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2008-10-15T20:08:02.670",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "http://bugs.gentoo.org/show_bug.cgi?id=240409"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Broken Link",
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/32164"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Broken Link"
      ],
      "url": "http://secunia.com/advisories/32471"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Broken Link"
      ],
      "url": "http://secunia.com/advisories/33149"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Broken Link"
      ],
      "url": "http://secunia.com/advisories/33624"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Broken Link"
      ],
      "url": "http://secunia.com/advisories/36904"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List",
        "Release Notes"
      ],
      "url": "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Broken Link"
      ],
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Broken Link"
      ],
      "url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Broken Link",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/31587"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.ubuntu.com/usn/USN-838-1"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "http://www.vupen.com/english/advisories/2008/2745"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Broken Link"
      ],
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "http://bugs.gentoo.org/show_bug.cgi?id=240409"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/32164"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://secunia.com/advisories/32471"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://secunia.com/advisories/33149"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://secunia.com/advisories/33624"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://secunia.com/advisories/36904"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Release Notes"
      ],
      "url": "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/31587"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.ubuntu.com/usn/USN-838-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required"
      ],
      "url": "http://www.vupen.com/english/advisories/2008/2745"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

RHSA-2009:0205

Vulnerability from csaf_redhat - Published: 2009-01-20 15:45 - Updated: 2025-11-21 17:34

Summary

Red Hat Security Advisory: dovecot security and bug fix update

Notes

Topic

An updated dovecot package that corrects two security flaws and various bugs is now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team.

Details

Dovecot is an IMAP server for Linux and UNIX-like systems, primarily written with security in mind. A flaw was found in Dovecot's ACL plug-in. The ACL plug-in treated negative access rights as positive rights, which could allow an attacker to bypass intended access restrictions. (CVE-2008-4577) A password disclosure flaw was found with Dovecot's configuration file. If a system had the "ssl_key_password" option defined, any local user could view the SSL key password. (CVE-2008-4870) Note: This flaw did not allow the attacker to acquire the contents of the SSL key. The password has no value without the key file which arbitrary users should not have read access to. To better protect even this value, however, the dovecot.conf file now supports the "!include_try" directive. The ssl_key_password option should be moved from dovecot.conf to a new file owned by, and only readable and writable by, root (ie 0600). This file should be referenced from dovecot.conf by setting the "!include_try [/path/to/password/file]" option. Additionally, this update addresses the following bugs: * the dovecot init script -- /etc/rc.d/init.d/dovecot -- did not check if the dovecot binary or configuration files existed. It also used the wrong pid file for checking the dovecot service's status. This update includes a new init script that corrects these errors. * the %files section of the dovecot spec file did not include "%dir %{ssldir}/private". As a consequence, the /etc/pki/private/ directory was not owned by dovecot. (Note: files inside /etc/pki/private/ were and are owned by dovecot.) With this update, the missing line has been added to the spec file, and the noted directory is now owned by dovecot. * in some previously released versions of dovecot, the authentication process accepted (and passed along un-escaped) passwords containing characters that had special meaning to dovecot's internal protocols. This updated release prevents such passwords from being passed back, instead returning the error, "Attempted login with password having illegal chars". Note: dovecot versions previously shipped with Red Hat Enterprise Linux 5 did not allow this behavior. This update addresses the issue above but said issue was only present in versions of dovecot not previously included with Red Hat Enterprise Linux 5. Users of dovecot are advised to upgrade to this updated package, which addresses these vulnerabilities and resolves these issues.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Low"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated dovecot package that corrects two security flaws and various bugs\nis now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having low security impact by the Red Hat\nSecurity Response Team.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Dovecot is an IMAP server for Linux and UNIX-like systems, primarily\nwritten with security in mind.\n\nA flaw was found in Dovecot\u0027s ACL plug-in. The ACL plug-in treated negative\naccess rights as positive rights, which could allow an attacker to bypass\nintended access restrictions. (CVE-2008-4577)\n\nA password disclosure flaw was found with Dovecot\u0027s configuration file. If\na system had the \"ssl_key_password\" option defined, any local user could\nview the SSL key password. (CVE-2008-4870)\n\nNote: This flaw did not allow the attacker to acquire the contents of the\nSSL key. The password has no value without the key file which arbitrary\nusers should not have read access to.\n\nTo better protect even this value, however, the dovecot.conf file now\nsupports the \"!include_try\" directive. The ssl_key_password option should\nbe moved from dovecot.conf to a new file owned by, and only readable and\nwritable by, root (ie 0600). This file should be referenced from\ndovecot.conf by setting the \"!include_try [/path/to/password/file]\" option.\n\nAdditionally, this update addresses the following bugs:\n\n* the dovecot init script -- /etc/rc.d/init.d/dovecot -- did not check if\nthe dovecot binary or configuration files existed. It also used the wrong\npid file for checking the dovecot service\u0027s status. This update includes a\nnew init script that corrects these errors.\n\n* the %files section of the dovecot spec file did not include \"%dir\n%{ssldir}/private\". As a consequence, the /etc/pki/private/ directory was\nnot owned by dovecot. (Note: files inside /etc/pki/private/ were and are\nowned by dovecot.) With this update, the missing line has been added to the\nspec file, and the noted directory is now owned by dovecot.\n\n* in some previously released versions of dovecot, the authentication\nprocess accepted (and passed along un-escaped) passwords containing\ncharacters that had special meaning to dovecot\u0027s internal protocols. This\nupdated release prevents such passwords from being passed back, instead\nreturning the error, \"Attempted login with password having illegal chars\".\n\nNote: dovecot versions previously shipped with Red Hat Enterprise Linux 5\ndid not allow this behavior. This update addresses the issue above but said\nissue was only present in versions of dovecot not previously included with\nRed Hat Enterprise Linux 5.\n\nUsers of dovecot are advised to upgrade to this updated package, which\naddresses these vulnerabilities and resolves these issues.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2009:0205",
        "url": "https://access.redhat.com/errata/RHSA-2009:0205"
      },
      {
        "category": "external",
        "summary": "http://www.redhat.com/security/updates/classification/#low",
        "url": "http://www.redhat.com/security/updates/classification/#low"
      },
      {
        "category": "external",
        "summary": "238016",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=238016"
      },
      {
        "category": "external",
        "summary": "436287",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=436287"
      },
      {
        "category": "external",
        "summary": "439369",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=439369"
      },
      {
        "category": "external",
        "summary": "448089",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=448089"
      },
      {
        "category": "external",
        "summary": "467436",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=467436"
      },
      {
        "category": "external",
        "summary": "469659",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=469659"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2009/rhsa-2009_0205.json"
      }
    ],
    "title": "Red Hat Security Advisory: dovecot security and bug fix update",
    "tracking": {
      "current_release_date": "2025-11-21T17:34:11+00:00",
      "generator": {
        "date": "2025-11-21T17:34:11+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2009:0205",
      "initial_release_date": "2009-01-20T15:45:00+00:00",
      "revision_history": [
        {
          "date": "2009-01-20T15:45:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2009-01-20T11:06:11+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:34:11+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
                "product": {
                  "name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
                  "product_id": "5Client-Workstation",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:5::client_workstation"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux (v. 5 server)",
                "product": {
                  "name": "Red Hat Enterprise Linux (v. 5 server)",
                  "product_id": "5Server",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:5::server"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-7.el5.src",
                "product": {
                  "name": "dovecot-0:1.0.7-7.el5.src",
                  "product_id": "dovecot-0:1.0.7-7.el5.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-7.el5.x86_64",
                "product": {
                  "name": "dovecot-0:1.0.7-7.el5.x86_64",
                  "product_id": "dovecot-0:1.0.7-7.el5.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
                  "product_id": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-7.el5.i386",
                "product": {
                  "name": "dovecot-0:1.0.7-7.el5.i386",
                  "product_id": "dovecot-0:1.0.7-7.el5.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=i386"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
                  "product_id": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=i386"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "i386"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-7.el5.ia64",
                "product": {
                  "name": "dovecot-0:1.0.7-7.el5.ia64",
                  "product_id": "dovecot-0:1.0.7-7.el5.ia64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=ia64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
                  "product_id": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=ia64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ia64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-7.el5.ppc",
                "product": {
                  "name": "dovecot-0:1.0.7-7.el5.ppc",
                  "product_id": "dovecot-0:1.0.7-7.el5.ppc",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=ppc"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
                  "product_id": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=ppc"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-7.el5.s390x",
                "product": {
                  "name": "dovecot-0:1.0.7-7.el5.s390x",
                  "product_id": "dovecot-0:1.0.7-7.el5.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
                  "product_id": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=s390x"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.i386",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.ia64",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.ppc",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.s390x",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.src"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.src",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.x86_64",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-7.el5.i386"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.i386",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-7.el5.ia64"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.ia64",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-7.el5.ppc"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.ppc",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-7.el5.s390x"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.s390x",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.src as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-7.el5.src"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.src",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-7.el5.x86_64"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.x86_64",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
        "relates_to_product_reference": "5Server"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2008-4577",
      "discovery_date": "2008-10-07T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "467436"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "dovecot: incorrect handling of negative rights in the ACL plugin",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
          "5Server:dovecot-0:1.0.7-7.el5.i386",
          "5Server:dovecot-0:1.0.7-7.el5.ia64",
          "5Server:dovecot-0:1.0.7-7.el5.ppc",
          "5Server:dovecot-0:1.0.7-7.el5.s390x",
          "5Server:dovecot-0:1.0.7-7.el5.src",
          "5Server:dovecot-0:1.0.7-7.el5.x86_64",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2008-4577"
        },
        {
          "category": "external",
          "summary": "RHBZ#467436",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=467436"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2008-4577",
          "url": "https://www.cve.org/CVERecord?id=CVE-2008-4577"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-4577",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4577"
        }
      ],
      "release_date": "2008-10-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2009-01-20T15:45:00+00:00",
          "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188",
          "product_ids": [
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
            "5Server:dovecot-0:1.0.7-7.el5.i386",
            "5Server:dovecot-0:1.0.7-7.el5.ia64",
            "5Server:dovecot-0:1.0.7-7.el5.ppc",
            "5Server:dovecot-0:1.0.7-7.el5.s390x",
            "5Server:dovecot-0:1.0.7-7.el5.src",
            "5Server:dovecot-0:1.0.7-7.el5.x86_64",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2009:0205"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.6,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
            "5Server:dovecot-0:1.0.7-7.el5.i386",
            "5Server:dovecot-0:1.0.7-7.el5.ia64",
            "5Server:dovecot-0:1.0.7-7.el5.ppc",
            "5Server:dovecot-0:1.0.7-7.el5.s390x",
            "5Server:dovecot-0:1.0.7-7.el5.src",
            "5Server:dovecot-0:1.0.7-7.el5.x86_64",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "dovecot: incorrect handling of negative rights in the ACL plugin"
    },
    {
      "cve": "CVE-2008-4870",
      "discovery_date": "2008-03-06T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "469659"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "dovecot: ssl_key_password disclosure due to an insecure dovecot.conf permissions",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
          "5Server:dovecot-0:1.0.7-7.el5.i386",
          "5Server:dovecot-0:1.0.7-7.el5.ia64",
          "5Server:dovecot-0:1.0.7-7.el5.ppc",
          "5Server:dovecot-0:1.0.7-7.el5.s390x",
          "5Server:dovecot-0:1.0.7-7.el5.src",
          "5Server:dovecot-0:1.0.7-7.el5.x86_64",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2008-4870"
        },
        {
          "category": "external",
          "summary": "RHBZ#469659",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=469659"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2008-4870",
          "url": "https://www.cve.org/CVERecord?id=CVE-2008-4870"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-4870",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4870"
        }
      ],
      "release_date": "2008-03-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2009-01-20T15:45:00+00:00",
          "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188",
          "product_ids": [
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
            "5Server:dovecot-0:1.0.7-7.el5.i386",
            "5Server:dovecot-0:1.0.7-7.el5.ia64",
            "5Server:dovecot-0:1.0.7-7.el5.ppc",
            "5Server:dovecot-0:1.0.7-7.el5.s390x",
            "5Server:dovecot-0:1.0.7-7.el5.src",
            "5Server:dovecot-0:1.0.7-7.el5.x86_64",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2009:0205"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "dovecot: ssl_key_password disclosure due to an insecure dovecot.conf permissions"
    }
  ]
}

RHSA-2009_0205

Vulnerability from csaf_redhat - Published: 2009-01-20 15:45 - Updated: 2024-11-22 02:17

Summary

Red Hat Security Advisory: dovecot security and bug fix update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Low"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated dovecot package that corrects two security flaws and various bugs\nis now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having low security impact by the Red Hat\nSecurity Response Team.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Dovecot is an IMAP server for Linux and UNIX-like systems, primarily\nwritten with security in mind.\n\nA flaw was found in Dovecot\u0027s ACL plug-in. The ACL plug-in treated negative\naccess rights as positive rights, which could allow an attacker to bypass\nintended access restrictions. (CVE-2008-4577)\n\nA password disclosure flaw was found with Dovecot\u0027s configuration file. If\na system had the \"ssl_key_password\" option defined, any local user could\nview the SSL key password. (CVE-2008-4870)\n\nNote: This flaw did not allow the attacker to acquire the contents of the\nSSL key. The password has no value without the key file which arbitrary\nusers should not have read access to.\n\nTo better protect even this value, however, the dovecot.conf file now\nsupports the \"!include_try\" directive. The ssl_key_password option should\nbe moved from dovecot.conf to a new file owned by, and only readable and\nwritable by, root (ie 0600). This file should be referenced from\ndovecot.conf by setting the \"!include_try [/path/to/password/file]\" option.\n\nAdditionally, this update addresses the following bugs:\n\n* the dovecot init script -- /etc/rc.d/init.d/dovecot -- did not check if\nthe dovecot binary or configuration files existed. It also used the wrong\npid file for checking the dovecot service\u0027s status. This update includes a\nnew init script that corrects these errors.\n\n* the %files section of the dovecot spec file did not include \"%dir\n%{ssldir}/private\". As a consequence, the /etc/pki/private/ directory was\nnot owned by dovecot. (Note: files inside /etc/pki/private/ were and are\nowned by dovecot.) With this update, the missing line has been added to the\nspec file, and the noted directory is now owned by dovecot.\n\n* in some previously released versions of dovecot, the authentication\nprocess accepted (and passed along un-escaped) passwords containing\ncharacters that had special meaning to dovecot\u0027s internal protocols. This\nupdated release prevents such passwords from being passed back, instead\nreturning the error, \"Attempted login with password having illegal chars\".\n\nNote: dovecot versions previously shipped with Red Hat Enterprise Linux 5\ndid not allow this behavior. This update addresses the issue above but said\nissue was only present in versions of dovecot not previously included with\nRed Hat Enterprise Linux 5.\n\nUsers of dovecot are advised to upgrade to this updated package, which\naddresses these vulnerabilities and resolves these issues.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2009:0205",
        "url": "https://access.redhat.com/errata/RHSA-2009:0205"
      },
      {
        "category": "external",
        "summary": "http://www.redhat.com/security/updates/classification/#low",
        "url": "http://www.redhat.com/security/updates/classification/#low"
      },
      {
        "category": "external",
        "summary": "238016",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=238016"
      },
      {
        "category": "external",
        "summary": "436287",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=436287"
      },
      {
        "category": "external",
        "summary": "439369",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=439369"
      },
      {
        "category": "external",
        "summary": "448089",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=448089"
      },
      {
        "category": "external",
        "summary": "467436",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=467436"
      },
      {
        "category": "external",
        "summary": "469659",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=469659"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2009/rhsa-2009_0205.json"
      }
    ],
    "title": "Red Hat Security Advisory: dovecot security and bug fix update",
    "tracking": {
      "current_release_date": "2024-11-22T02:17:23+00:00",
      "generator": {
        "date": "2024-11-22T02:17:23+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2009:0205",
      "initial_release_date": "2009-01-20T15:45:00+00:00",
      "revision_history": [
        {
          "date": "2009-01-20T15:45:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2009-01-20T11:06:11+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T02:17:23+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
                "product": {
                  "name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
                  "product_id": "5Client-Workstation",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:5::client_workstation"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux (v. 5 server)",
                "product": {
                  "name": "Red Hat Enterprise Linux (v. 5 server)",
                  "product_id": "5Server",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:5::server"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-7.el5.src",
                "product": {
                  "name": "dovecot-0:1.0.7-7.el5.src",
                  "product_id": "dovecot-0:1.0.7-7.el5.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-7.el5.x86_64",
                "product": {
                  "name": "dovecot-0:1.0.7-7.el5.x86_64",
                  "product_id": "dovecot-0:1.0.7-7.el5.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
                  "product_id": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-7.el5.i386",
                "product": {
                  "name": "dovecot-0:1.0.7-7.el5.i386",
                  "product_id": "dovecot-0:1.0.7-7.el5.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=i386"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
                  "product_id": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=i386"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "i386"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-7.el5.ia64",
                "product": {
                  "name": "dovecot-0:1.0.7-7.el5.ia64",
                  "product_id": "dovecot-0:1.0.7-7.el5.ia64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=ia64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
                  "product_id": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=ia64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ia64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-7.el5.ppc",
                "product": {
                  "name": "dovecot-0:1.0.7-7.el5.ppc",
                  "product_id": "dovecot-0:1.0.7-7.el5.ppc",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=ppc"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
                  "product_id": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=ppc"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dovecot-0:1.0.7-7.el5.s390x",
                "product": {
                  "name": "dovecot-0:1.0.7-7.el5.s390x",
                  "product_id": "dovecot-0:1.0.7-7.el5.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot@1.0.7-7.el5?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
                "product": {
                  "name": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
                  "product_id": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/dovecot-debuginfo@1.0.7-7.el5?arch=s390x"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.i386",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.ia64",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.ppc",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.s390x",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.src"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.src",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.x86_64",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-7.el5.i386"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.i386",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-7.el5.ia64"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.ia64",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-7.el5.ppc"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.ppc",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-7.el5.s390x"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.s390x",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.src as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-7.el5.src"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.src",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-0:1.0.7-7.el5.x86_64"
        },
        "product_reference": "dovecot-0:1.0.7-7.el5.x86_64",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.i386 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.i386",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.ia64",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.ppc as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.ppc",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.s390x as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.s390x",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
        },
        "product_reference": "dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
        "relates_to_product_reference": "5Server"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2008-4577",
      "discovery_date": "2008-10-07T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "467436"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "dovecot: incorrect handling of negative rights in the ACL plugin",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
          "5Server:dovecot-0:1.0.7-7.el5.i386",
          "5Server:dovecot-0:1.0.7-7.el5.ia64",
          "5Server:dovecot-0:1.0.7-7.el5.ppc",
          "5Server:dovecot-0:1.0.7-7.el5.s390x",
          "5Server:dovecot-0:1.0.7-7.el5.src",
          "5Server:dovecot-0:1.0.7-7.el5.x86_64",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2008-4577"
        },
        {
          "category": "external",
          "summary": "RHBZ#467436",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=467436"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2008-4577",
          "url": "https://www.cve.org/CVERecord?id=CVE-2008-4577"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-4577",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4577"
        }
      ],
      "release_date": "2008-10-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2009-01-20T15:45:00+00:00",
          "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188",
          "product_ids": [
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
            "5Server:dovecot-0:1.0.7-7.el5.i386",
            "5Server:dovecot-0:1.0.7-7.el5.ia64",
            "5Server:dovecot-0:1.0.7-7.el5.ppc",
            "5Server:dovecot-0:1.0.7-7.el5.s390x",
            "5Server:dovecot-0:1.0.7-7.el5.src",
            "5Server:dovecot-0:1.0.7-7.el5.x86_64",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2009:0205"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.6,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
            "5Server:dovecot-0:1.0.7-7.el5.i386",
            "5Server:dovecot-0:1.0.7-7.el5.ia64",
            "5Server:dovecot-0:1.0.7-7.el5.ppc",
            "5Server:dovecot-0:1.0.7-7.el5.s390x",
            "5Server:dovecot-0:1.0.7-7.el5.src",
            "5Server:dovecot-0:1.0.7-7.el5.x86_64",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "dovecot: incorrect handling of negative rights in the ACL plugin"
    },
    {
      "cve": "CVE-2008-4870",
      "discovery_date": "2008-03-06T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "469659"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "dovecot: ssl_key_password disclosure due to an insecure dovecot.conf permissions",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
          "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
          "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
          "5Server:dovecot-0:1.0.7-7.el5.i386",
          "5Server:dovecot-0:1.0.7-7.el5.ia64",
          "5Server:dovecot-0:1.0.7-7.el5.ppc",
          "5Server:dovecot-0:1.0.7-7.el5.s390x",
          "5Server:dovecot-0:1.0.7-7.el5.src",
          "5Server:dovecot-0:1.0.7-7.el5.x86_64",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
          "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2008-4870"
        },
        {
          "category": "external",
          "summary": "RHBZ#469659",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=469659"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2008-4870",
          "url": "https://www.cve.org/CVERecord?id=CVE-2008-4870"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-4870",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4870"
        }
      ],
      "release_date": "2008-03-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2009-01-20T15:45:00+00:00",
          "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/FAQ_58_10188",
          "product_ids": [
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.i386",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.ia64",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.ppc",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.s390x",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.src",
            "5Client-Workstation:dovecot-0:1.0.7-7.el5.x86_64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.i386",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
            "5Client-Workstation:dovecot-debuginfo-0:1.0.7-7.el5.x86_64",
            "5Server:dovecot-0:1.0.7-7.el5.i386",
            "5Server:dovecot-0:1.0.7-7.el5.ia64",
            "5Server:dovecot-0:1.0.7-7.el5.ppc",
            "5Server:dovecot-0:1.0.7-7.el5.s390x",
            "5Server:dovecot-0:1.0.7-7.el5.src",
            "5Server:dovecot-0:1.0.7-7.el5.x86_64",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.i386",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ia64",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.ppc",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.s390x",
            "5Server:dovecot-debuginfo-0:1.0.7-7.el5.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2009:0205"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "dovecot: ssl_key_password disclosure due to an insecure dovecot.conf permissions"
    }
  ]
}

GSD-2008-4577

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.

Aliases

CVE-2008-4577

Aliases

CVE-2008-4577

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2008-4577",
    "description": "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.",
    "id": "GSD-2008-4577",
    "references": [
      "https://www.suse.com/security/cve/CVE-2008-4577.html",
      "https://access.redhat.com/errata/RHSA-2009:0205",
      "https://linux.oracle.com/cve/CVE-2008-4577.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2008-4577"
      ],
      "details": "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.",
      "id": "GSD-2008-4577",
      "modified": "2023-12-13T01:23:00.252007Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2008-4577",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html",
            "refsource": "MISC",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
          },
          {
            "name": "http://bugs.gentoo.org/show_bug.cgi?id=240409",
            "refsource": "MISC",
            "url": "http://bugs.gentoo.org/show_bug.cgi?id=240409"
          },
          {
            "name": "http://secunia.com/advisories/32164",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/32164"
          },
          {
            "name": "http://secunia.com/advisories/32471",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/32471"
          },
          {
            "name": "http://secunia.com/advisories/33149",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/33149"
          },
          {
            "name": "http://secunia.com/advisories/33624",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/33624"
          },
          {
            "name": "http://secunia.com/advisories/36904",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/36904"
          },
          {
            "name": "http://security.gentoo.org/glsa/glsa-200812-16.xml",
            "refsource": "MISC",
            "url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
          },
          {
            "name": "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html",
            "refsource": "MISC",
            "url": "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html"
          },
          {
            "name": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232",
            "refsource": "MISC",
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232"
          },
          {
            "name": "http://www.redhat.com/support/errata/RHSA-2009-0205.html",
            "refsource": "MISC",
            "url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
          },
          {
            "name": "http://www.securityfocus.com/bid/31587",
            "refsource": "MISC",
            "url": "http://www.securityfocus.com/bid/31587"
          },
          {
            "name": "http://www.ubuntu.com/usn/USN-838-1",
            "refsource": "MISC",
            "url": "http://www.ubuntu.com/usn/USN-838-1"
          },
          {
            "name": "http://www.vupen.com/english/advisories/2008/2745",
            "refsource": "MISC",
            "url": "http://www.vupen.com/english/advisories/2008/2745"
          },
          {
            "name": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376",
            "refsource": "MISC",
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376"
          },
          {
            "name": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html",
            "refsource": "MISC",
            "url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html"
          },
          {
            "name": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html",
            "refsource": "MISC",
            "url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "B084417D-FA5E-45DE-AA03-3932D9292B30",
                    "versionEndExcluding": "1.1.4",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*",
                    "matchCriteriaId": "72E4DB7F-07C3-46BB-AAA2-05CD0312C57F",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*",
                    "matchCriteriaId": "743CBBB1-C140-4FEF-B40E-FAE4511B1140",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:opensuse:opensuse:10.3-11.1:*:*:*:*:*:*:*",
                    "matchCriteriaId": "F7018930-D354-4B31-870E-D0E3CE19C8B5",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*",
                    "matchCriteriaId": "7EBFE35C-E243-43D1-883D-4398D71763CC",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*",
                    "matchCriteriaId": "4747CC68-FAF4-482F-929A-9DA6C24CB663",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*",
                    "matchCriteriaId": "A5D026D0-EF78-438D-BEDD-FC8571F3ACEB",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions."
          },
          {
            "lang": "es",
            "value": "El plugin ACL en Dovecot anterior a 1.1.4 amenaza los derechos del acceso negativo como si fueran derechos de acceso positivos, lo que permite a atacantes evitar las restricciones de acceso previstas."
          }
        ],
        "id": "CVE-2008-4577",
        "lastModified": "2024-01-21T02:46:56.287",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "availabilityImpact": "NONE",
                "baseScore": 6.4,
                "confidentialityImpact": "PARTIAL",
                "integrityImpact": "PARTIAL",
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
                "version": "2.0"
              },
              "exploitabilityScore": 10.0,
              "impactScore": 4.9,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": false
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2008-10-15T20:08:02.670",
        "references": [
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Issue Tracking"
            ],
            "url": "http://bugs.gentoo.org/show_bug.cgi?id=240409"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Mailing List"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Broken Link",
              "Vendor Advisory"
            ],
            "url": "http://secunia.com/advisories/32164"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Broken Link"
            ],
            "url": "http://secunia.com/advisories/32471"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Broken Link"
            ],
            "url": "http://secunia.com/advisories/33149"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Broken Link"
            ],
            "url": "http://secunia.com/advisories/33624"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Broken Link"
            ],
            "url": "http://secunia.com/advisories/36904"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "http://security.gentoo.org/glsa/glsa-200812-16.xml"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Mailing List",
              "Release Notes"
            ],
            "url": "http://www.dovecot.org/list/dovecot-news/2008-October/000085.html"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Broken Link"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:232"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Broken Link"
            ],
            "url": "http://www.redhat.com/support/errata/RHSA-2009-0205.html"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Broken Link",
              "Third Party Advisory",
              "VDB Entry"
            ],
            "url": "http://www.securityfocus.com/bid/31587"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "http://www.ubuntu.com/usn/USN-838-1"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Permissions Required"
            ],
            "url": "http://www.vupen.com/english/advisories/2008/2745"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Broken Link"
            ],
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Mailing List"
            ],
            "url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html"
          },
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Mailing List"
            ],
            "url": "https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html"
          }
        ],
        "sourceIdentifier": "secalert@redhat.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-863"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2008-4577 (GCVE-0-2008-4577)

GHSA-24JQ-H48J-G592

FKIE_CVE-2008-4577

RHSA-2009:0205

RHSA-2009_0205

GSD-2008-4577

Tags

Sightings

Nomenclature