Vulnerability CVE-2009-1631

Vulnerability Name:

CVE-2009-1631 (CCN-50512)

Assigned:

2009-05-06

Published:

2009-05-06

Updated:

2009-05-23

Summary:

The Mailer component in Evolution 2.26.1 and earlier uses world-readable permissions for the .evolution directory, and certain directories and files under .evolution/ related to local mail, which allows local users to obtain sensitive information by reading these files.

CVSS v3 Severity:

4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
2.0 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
2.0 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Other

References:

Source: CCN
Type: Debian Bug report logs - #526409
evolution: permissions on mailbox folders are set wrong

Source: MISC
Type: Exploit
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526409

Source: CCN
Type: GNOME Bugzilla Bug 581604
Permissions on mail/local folders are too open

Source: MISC
Type: UNKNOWN
http://bugzilla.gnome.org/show_bug.cgi?id=581604

Source: MITRE
Type: CNA
CVE-2009-1631

Source: MLIST
Type: UNKNOWN
[oss-security] 20090512 CVE Request (evolution)

Source: CCN
Type: OSVDB ID: 54679
Evolution Mailer Component .evolution Directory Permission Weakness Local Information Disclosure

Source: BID
Type: UNKNOWN
34921

Source: CCN
Type: BID-34921
GNOME Evolution '~/.evolution/mail/local' File Permission Vulnerability

Source: CCN
Type: Red Hat Bugzilla Bug 498648
evolution: insecure permissions on evolution mailbox folders

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=498648

Source: XF
Type: UNKNOWN
evolution-maillocal-weak-security(50512)

Vulnerable Configuration:

Configuration 1:

cpe:/a:gnome:evolution:1.0.8:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:1.2:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:1.2.1:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:1.2.2:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:1.2.3:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:1.2.4:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:1.4:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:1.4.3:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:1.4.4:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:1.4.5:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:1.4.6:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:2.0.0:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:2.4:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:2.6:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:2.12:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:2.24:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:*:*:*:*:*:*:*:* (Version <= 2.26.1)

Configuration CCN 1:

cpe:/a:gnome:evolution:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:2.22.1:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:2.0:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:2.1:*:*:*:*:*:*:*

OR cpe:/a:gnome:evolution:2.2:*:*:*:*:*:*:*