Vulnerability Name:

CVE-2008-4578 (CCN-45669)

Assigned:2008-10-05
Published:2008-10-05
Updated:2018-10-11
Summary:The ACL plugin in Dovecot before 1.1.4 allows attackers to bypass intended access restrictions by using the "k" right to create unauthorized "parent/child/child" mailboxes.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: CONFIRM
Type: UNKNOWN
http://bugs.gentoo.org/show_bug.cgi?id=240409

Source: MITRE
Type: CNA
CVE-2008-4578

Source: CCN
Type: SA32164
Dovecot ACL Plugin Security Bypass Security Issues

Source: SECUNIA
Type: Vendor Advisory
32164

Source: SECUNIA
Type: UNKNOWN
33149

Source: GENTOO
Type: UNKNOWN
GLSA-200812-16

Source: CCN
Type: Dovecot Web site
Download

Source: CCN
Type: Dovecot-news Mailing List, Sun Oct 5 20:14:30 EEST 2008
[Dovecot-news] v1.1.4 released

Source: MLIST
Type: Patch
[Dovecot-news] 20081005 v1.1.4 released

Source: CCN
Type: GLSA-200812-16
Dovecot: Multiple vulnerabilities

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2008:232

Source: CCN
Type: OSVDB ID: 49099
Dovecot ACL Plugin k Right Mailbox Creation Restriction Bypass

Source: BUGTRAQ
Type: UNKNOWN
20081119 Re: [ MDVSA-2008:232 ] dovecot

Source: BID
Type: UNKNOWN
31587

Source: CCN
Type: BID-31587
Dovecot ACL Plugin Multiple Security Bypass Vulnerabilities

Source: VUPEN
Type: UNKNOWN
ADV-2008-2745

Source: XF
Type: UNKNOWN
dovecot-acl-mailbox-security-bypass(45669)

Source: XF
Type: UNKNOWN
dovecot-acl-mailbox-security-bypass(45669)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:dovecot:dovecot:0.99.13:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:0.99.14:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.10:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.12:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.beta1:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.beta2:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.beta3:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.beta4:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.beta5:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.beta6:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.beta7:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.beta8:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.beta9:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc1:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc2:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc3:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc4:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc5:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc6:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc7:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc8:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc9:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc10:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc11:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc12:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc13:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc14:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc15:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc16:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc17:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc18:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc19:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc20:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc21:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc22:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc23:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc24:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc25:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc26:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc27:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.rc28:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0_rc29:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.1:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.1:rc2:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:*:*:*:*:*:*:*:* (Version <= 1.1.3)

    • Configuration CCN 1:
  • cpe:/a:dovecot:dovecot:1.0.12:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.10:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.1:rc2:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0_rc29:*:*:*:*:*:*:*
  • OR cpe:/a:dovecot:dovecot:1.0:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:mandriva:linux:2009.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandriva:linux:2009.0:-:x86_64:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    dovecot dovecot 0.99.13
    dovecot dovecot 0.99.14
    dovecot dovecot 1.0
    dovecot dovecot 1.0.2
    dovecot dovecot 1.0.3
    dovecot dovecot 1.0.4
    dovecot dovecot 1.0.5
    dovecot dovecot 1.0.6
    dovecot dovecot 1.0.7
    dovecot dovecot 1.0.8
    dovecot dovecot 1.0.9
    dovecot dovecot 1.0.10
    dovecot dovecot 1.0.12
    dovecot dovecot 1.0.beta1
    dovecot dovecot 1.0.beta2
    dovecot dovecot 1.0.beta3
    dovecot dovecot 1.0.beta4
    dovecot dovecot 1.0.beta5
    dovecot dovecot 1.0.beta6
    dovecot dovecot 1.0.beta7
    dovecot dovecot 1.0.beta8
    dovecot dovecot 1.0.beta9
    dovecot dovecot 1.0.rc1
    dovecot dovecot 1.0.rc2
    dovecot dovecot 1.0.rc3
    dovecot dovecot 1.0.rc4
    dovecot dovecot 1.0.rc5
    dovecot dovecot 1.0.rc6
    dovecot dovecot 1.0.rc7
    dovecot dovecot 1.0.rc8
    dovecot dovecot 1.0.rc9
    dovecot dovecot 1.0.rc10
    dovecot dovecot 1.0.rc11
    dovecot dovecot 1.0.rc12
    dovecot dovecot 1.0.rc13
    dovecot dovecot 1.0.rc14
    dovecot dovecot 1.0.rc15
    dovecot dovecot 1.0.rc16
    dovecot dovecot 1.0.rc17
    dovecot dovecot 1.0.rc18
    dovecot dovecot 1.0.rc19
    dovecot dovecot 1.0.rc20
    dovecot dovecot 1.0.rc21
    dovecot dovecot 1.0.rc22
    dovecot dovecot 1.0.rc23
    dovecot dovecot 1.0.rc24
    dovecot dovecot 1.0.rc25
    dovecot dovecot 1.0.rc26
    dovecot dovecot 1.0.rc27
    dovecot dovecot 1.0.rc28
    dovecot dovecot 1.0_rc29
    dovecot dovecot 1.1
    dovecot dovecot 1.1 rc2
    dovecot dovecot 1.1.0
    dovecot dovecot 1.1.1
    dovecot dovecot 1.1.2
    dovecot dovecot *
    dovecot dovecot 1.0.12
    dovecot dovecot 1.0.10
    dovecot dovecot 1.0.9
    dovecot dovecot 1.0.8
    dovecot dovecot 1.0.7
    dovecot dovecot 1.0.6
    dovecot dovecot 1.0.5
    dovecot dovecot 1.0.4
    dovecot dovecot 1.0.3
    dovecot dovecot 1.1 rc2
    dovecot dovecot 1.0_rc29
    dovecot dovecot 1.0
    gentoo linux *
    mandriva linux 2009.0
    mandriva linux 2009.0 -