Vulnerability Name:

CVE-2008-4577 (CCN-45667)

Assigned:2008-10-05
Published:2008-10-05
Updated:2017-09-29
Summary:The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
4.7 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
3.6 Low (REDHAT CVSS v2 Vector: AV:N/AC:H/Au:S/C:P/I:P/A:N)
2.6 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: CONFIRM
Type: UNKNOWN
http://bugs.gentoo.org/show_bug.cgi?id=240409

Source: MITRE
Type: CNA
CVE-2008-4577

Source: SUSE
Type: UNKNOWN
SUSE-SR:2009:004

Source: CCN
Type: RHSA-2009-0205
Low: dovecot security and bug fix update

Source: CCN
Type: SA32164
Dovecot ACL Plugin Security Bypass Security Issues

Source: SECUNIA
Type: Vendor Advisory
32164

Source: SECUNIA
Type: UNKNOWN
32471

Source: SECUNIA
Type: UNKNOWN
33149

Source: SECUNIA
Type: UNKNOWN
33624

Source: SECUNIA
Type: UNKNOWN
36904

Source: GENTOO
Type: UNKNOWN
GLSA-200812-16

Source: CCN
Type: Dovecot Web site
Download

Source: CCN
Type: Dovecot-news Mailing List, Sun Oct 5 20:14:30 EEST 2008
[Dovecot-news] v1.1.4 released

Source: MLIST
Type: Patch
[Dovecot-news] 20081005 v1.1.4 released

Source: CCN
Type: GLSA-200812-16
Dovecot: Multiple vulnerabilities

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2008:232

Source: REDHAT
Type: UNKNOWN
RHSA-2009:0205

Source: BID
Type: UNKNOWN
31587

Source: CCN
Type: BID-31587
Dovecot ACL Plugin Multiple Security Bypass Vulnerabilities

Source: CCN
Type: USN-838-1
Dovecot vulnerabilities

Source: UBUNTU
Type: UNKNOWN
USN-838-1

Source: VUPEN
Type: UNKNOWN
ADV-2008-2745

Source: XF
Type: UNKNOWN
dovecot-acl-rights-security-bypass(45667)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:10376

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-9202

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-9232

Source: SUSE
Type: SUSE-SR:2009:004
SUSE Security Summary Report

Vulnerable Configuration:Configuration 1:
  • cpe:/a:dovecot:dovecot:0.99.13:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:0.99.14:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.10:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.12:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.beta1:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.beta2:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.beta3:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.beta4:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.beta5:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.beta6:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.beta7:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.beta8:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.beta9:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc1:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc2:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc3:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc4:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc5:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc6:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc7:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc8:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc9:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc10:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc11:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc12:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc13:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc14:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc15:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc16:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc17:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc18:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc19:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc20:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc21:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc22:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc23:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc24:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc25:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc26:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc27:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc28:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0_rc29:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.1:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.1:rc2:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:*:*:*:*:*:*:*:* (Version <= 1.1.3)

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:dovecot:dovecot:1.0.12:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.10:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.1:rc2:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0_rc29:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:client_workstation:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:8.04::lts:*:*:*:*:*
  • OR cpe:/o:mandriva:linux:2009.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandriva:linux:2009.0:-:x86_64:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20084577
    V
    		CVE-2008-4577
    2015-11-16
    oval:org.mitre.oval:def:29313
    P
    		RHSA-2009:0205 -- dovecot security and bug fix update (Low)
    2015-08-17
    oval:org.mitre.oval:def:13646
    P
    		USN-838-1 -- dovecot vulnerabilities
    2014-06-30
    oval:org.mitre.oval:def:21764
    P
    		ELSA-2009:0205: dovecot security and bug fix update (Low)
    2014-05-26
    oval:org.mitre.oval:def:10376
    V
    		The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
    2013-04-29
    oval:com.redhat.rhsa:def:20090205
    P
    		RHSA-2009:0205: dovecot security and bug fix update (Low)
    2009-01-20
    BACK
    dovecot dovecot 0.99.13
    dovecot dovecot 0.99.14
    dovecot dovecot 1.0
    dovecot dovecot 1.0.2
    dovecot dovecot 1.0.3
    dovecot dovecot 1.0.4
    dovecot dovecot 1.0.5
    dovecot dovecot 1.0.6
    dovecot dovecot 1.0.7
    dovecot dovecot 1.0.8
    dovecot dovecot 1.0.9
    dovecot dovecot 1.0.10
    dovecot dovecot 1.0.12
    dovecot dovecot 1.0.beta1
    dovecot dovecot 1.0.beta2
    dovecot dovecot 1.0.beta3
    dovecot dovecot 1.0.beta4
    dovecot dovecot 1.0.beta5
    dovecot dovecot 1.0.beta6
    dovecot dovecot 1.0.beta7
    dovecot dovecot 1.0.beta8
    dovecot dovecot 1.0.beta9
    dovecot dovecot 1.0.rc1
    dovecot dovecot 1.0.rc2
    dovecot dovecot 1.0.rc3
    dovecot dovecot 1.0.rc4
    dovecot dovecot 1.0.rc5
    dovecot dovecot 1.0.rc6
    dovecot dovecot 1.0.rc7
    dovecot dovecot 1.0.rc8
    dovecot dovecot 1.0.rc9
    dovecot dovecot 1.0.rc10
    dovecot dovecot 1.0.rc11
    dovecot dovecot 1.0.rc12
    dovecot dovecot 1.0.rc13
    dovecot dovecot 1.0.rc14
    dovecot dovecot 1.0.rc15
    dovecot dovecot 1.0.rc16
    dovecot dovecot 1.0.rc17
    dovecot dovecot 1.0.rc18
    dovecot dovecot 1.0.rc19
    dovecot dovecot 1.0.rc20
    dovecot dovecot 1.0.rc21
    dovecot dovecot 1.0.rc22
    dovecot dovecot 1.0.rc23
    dovecot dovecot 1.0.rc24
    dovecot dovecot 1.0.rc25
    dovecot dovecot 1.0.rc26
    dovecot dovecot 1.0.rc27
    dovecot dovecot 1.0.rc28
    dovecot dovecot 1.0_rc29
    dovecot dovecot 1.1
    dovecot dovecot 1.1 rc2
    dovecot dovecot 1.1.0
    dovecot dovecot 1.1.1
    dovecot dovecot 1.1.2
    dovecot dovecot *
    dovecot dovecot 1.0.12
    dovecot dovecot 1.0.10
    dovecot dovecot 1.0.9
    dovecot dovecot 1.0.8
    dovecot dovecot 1.0.7
    dovecot dovecot 1.0.6
    dovecot dovecot 1.0.5
    dovecot dovecot 1.0.4
    dovecot dovecot 1.0.3
    dovecot dovecot 1.1 rc2
    dovecot dovecot 1.0_rc29
    dovecot dovecot 1.0
    gentoo linux *
    redhat enterprise linux 5
    redhat enterprise linux 5
    canonical ubuntu 8.04
    mandriva linux 2009.0
    mandriva linux 2009.0 -