FKIE_CVE-2008-1199

Vulnerability from fkie_nvd - Published: 2008-03-06 21:44 - Updated: 2025-04-09 00:30
Severity ?
Summary
Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.
References
cve@mitre.orghttp://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html
cve@mitre.orghttp://secunia.com/advisories/29226
cve@mitre.orghttp://secunia.com/advisories/29385
cve@mitre.orghttp://secunia.com/advisories/29396
cve@mitre.orghttp://secunia.com/advisories/29557
cve@mitre.orghttp://secunia.com/advisories/30342
cve@mitre.orghttp://secunia.com/advisories/32151
cve@mitre.orghttp://security.gentoo.org/glsa/glsa-200803-25.xml
cve@mitre.orghttp://www.debian.org/security/2008/dsa-1516
cve@mitre.orghttp://www.dovecot.org/list/dovecot-news/2008-March/000061.htmlPatch
cve@mitre.orghttp://www.redhat.com/support/errata/RHSA-2008-0297.html
cve@mitre.orghttp://www.securityfocus.com/archive/1/489133/100/0/threaded
cve@mitre.orghttp://www.securityfocus.com/bid/28092Patch
cve@mitre.orghttps://exchange.xforce.ibmcloud.com/vulnerabilities/41009
cve@mitre.orghttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739
cve@mitre.orghttps://usn.ubuntu.com/593-1/
cve@mitre.orghttps://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html
cve@mitre.orghttps://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/29226
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/29385
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/29396
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/29557
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/30342
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/32151
af854a3a-2127-422b-91ae-364da2661108http://security.gentoo.org/glsa/glsa-200803-25.xml
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2008/dsa-1516
af854a3a-2127-422b-91ae-364da2661108http://www.dovecot.org/list/dovecot-news/2008-March/000061.htmlPatch
af854a3a-2127-422b-91ae-364da2661108http://www.redhat.com/support/errata/RHSA-2008-0297.html
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/archive/1/489133/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/28092Patch
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/41009
af854a3a-2127-422b-91ae-364da2661108https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739
af854a3a-2127-422b-91ae-364da2661108https://usn.ubuntu.com/593-1/
af854a3a-2127-422b-91ae-364da2661108https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html
af854a3a-2127-422b-91ae-364da2661108https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html
Impacted products
Vendor Product Version
dovecot dovecot 0.99.13
dovecot dovecot 0.99.14
dovecot dovecot 1.0
dovecot dovecot 1.0.2
dovecot dovecot 1.0.3
dovecot dovecot 1.0.4
dovecot dovecot 1.0.5
dovecot dovecot 1.0.6
dovecot dovecot 1.0.7
dovecot dovecot 1.0.8
dovecot dovecot 1.0.9
dovecot dovecot 1.0.10
dovecot dovecot 1.0.beta2
dovecot dovecot 1.0.beta3
dovecot dovecot 1.0.beta7
dovecot dovecot 1.0.beta8
dovecot dovecot 1.0.rc1
dovecot dovecot 1.0.rc2
dovecot dovecot 1.0.rc3
dovecot dovecot 1.0.rc4
dovecot dovecot 1.0.rc5
dovecot dovecot 1.0.rc6
dovecot dovecot 1.0.rc7
dovecot dovecot 1.0.rc8
dovecot dovecot 1.0.rc9
dovecot dovecot 1.0.rc10
dovecot dovecot 1.0.rc11
dovecot dovecot 1.0.rc12
dovecot dovecot 1.0.rc13
dovecot dovecot 1.0.rc14
dovecot dovecot 1.0.rc15
dovecot dovecot 1.0_rc29
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:0.99.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "D0616CCF-D278-4B6D-A58B-393BCA128CF1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:0.99.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "D3C7BE64-7C1E-4043-A1C5-D0A7377C01A7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4240BD98-3C31-42CE-AF8F-045DD4BFC084",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "1C05ACA0-ED87-4DDF-94B6-8D25BE1790F1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "8A8C0C4A-F9DB-4BB7-BFC5-BEC22C3FE40B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "B7E00B56-A1E5-4261-8349-37654AA9FB64",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "E66427AA-A9D4-413F-8354-EA61407307C1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "D74BE6C7-114D-4885-8472-FFE71C817B8A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "4A349510-4D00-4978-93D9-3F9F5E0CD8DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "B65B9EFD-1531-463C-992E-F0F16AABF9C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "34BA7146-5793-44F4-9569-9D868FE6E325",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "B5078363-6B42-491B-A219-F8D8A86132BF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta2:*:*:*:*:*:*:*",
              "matchCriteriaId": "9D680474-C329-4DD0-B4EA-2406E27EC474",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta3:*:*:*:*:*:*:*",
              "matchCriteriaId": "165A0D0B-C6B0-431F-BF36-223A27CD6A42",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta7:*:*:*:*:*:*:*",
              "matchCriteriaId": "99268D48-CF82-450B-A033-D87AF4109531",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta8:*:*:*:*:*:*:*",
              "matchCriteriaId": "B2E09737-8107-45C0-BFF1-FB4CF81564CD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc1:*:*:*:*:*:*:*",
              "matchCriteriaId": "91E74D81-DF10-423A-8549-3BB5ED02B5A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc2:*:*:*:*:*:*:*",
              "matchCriteriaId": "07D6853E-7E81-443D-8806-C8469217F55C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc3:*:*:*:*:*:*:*",
              "matchCriteriaId": "D1BE4B6A-47A2-457B-B6B8-8FE5C2026A11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc4:*:*:*:*:*:*:*",
              "matchCriteriaId": "7382F655-9B27-443D-9397-346FBEADEFDA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc5:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F180045-A0DA-40A3-AD3E-F3402FB6456A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc6:*:*:*:*:*:*:*",
              "matchCriteriaId": "C1A2FFE7-D008-47B4-80E7-AEC176918E06",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc7:*:*:*:*:*:*:*",
              "matchCriteriaId": "8C840337-7B31-476B-BBCD-65F4899925E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc8:*:*:*:*:*:*:*",
              "matchCriteriaId": "545EF2F5-9BAE-4612-9958-70A5413818A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc9:*:*:*:*:*:*:*",
              "matchCriteriaId": "E80096F8-46D9-42E3-8CDB-99ADA2CBD970",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc10:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E504866-3429-4A4C-8278-5C2753D356C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc11:*:*:*:*:*:*:*",
              "matchCriteriaId": "30857130-636F-4719-9F1E-8F6369F40DAC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc12:*:*:*:*:*:*:*",
              "matchCriteriaId": "9843D7CE-4723-4200-AFD4-5B31545A287E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc13:*:*:*:*:*:*:*",
              "matchCriteriaId": "54AF1D92-D89B-4DE4-9D47-72466873A4C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc14:*:*:*:*:*:*:*",
              "matchCriteriaId": "64A8FCA5-1666-48F7-9689-37D9315813F7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc15:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4D517F3-F0A8-4362-89B9-0ED63515283F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dovecot:dovecot:1.0_rc29:*:*:*:*:*:*:*",
              "matchCriteriaId": "3AAE9E7C-49CC-48C3-B47C-CDC5802356A7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack."
    },
    {
      "lang": "es",
      "value": "Dovecot antes de 1.0.11, cuando se configura para utilizar mail_extra_groups para permitir a Dovecot crear dotlocks en /var/mail, podr\u00eda permitir a usuarios locales leer archivos de mail sensibles para otros usuarios, o modificar archivos o directorios que sean escribibles por el grupo, a trav\u00e9s de un ataque de enlaces simb\u00f3licos."
    }
  ],
  "id": "CVE-2008-1199",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.4,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.4,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2008-03-06T21:44:00.000",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/29226"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/29385"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/29396"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/29557"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/30342"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/32151"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.debian.org/security/2008/dsa-1516"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://www.securityfocus.com/bid/28092"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://usn.ubuntu.com/593-1/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/29226"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/29385"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/29396"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/29557"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/30342"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/32151"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2008/dsa-1516"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.securityfocus.com/bid/28092"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://usn.ubuntu.com/593-1/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vendorComments": [
    {
      "comment": "Red Hat is aware of this issue and is tracking it via the following bug:\nhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1199\n\nThis issue does not affect the default configuration of Dovecot as shipped in Red Hat Enterprise Linux.\n\nThe Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. \n\nAn update to Red Hat Enterprise Linux 5 was released to correct this issue:\nhttps://rhn.redhat.com/errata/RHSA-2008-0297.html\n",
      "lastModified": "2008-05-21T00:00:00",
      "organization": "Red Hat"
    }
  ],
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-16"
        },
        {
          "lang": "en",
          "value": "CWE-59"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.