CVE-2008-1199

Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.4 UNKNOWN
LOCAL
MEDIUM
AV:L/AC:M/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
dovecotdovecot
0.99.13
dovecotdovecot
0.99.14
dovecotdovecot
1.0
dovecotdovecot
1.0.2
dovecotdovecot
1.0.3
dovecotdovecot
1.0.4
dovecotdovecot
1.0.5
dovecotdovecot
1.0.6
dovecotdovecot
1.0.7
dovecotdovecot
1.0.8
dovecotdovecot
1.0.9
dovecotdovecot
1.0.10
dovecotdovecot
1.0.beta2:beta2
dovecotdovecot
1.0.beta3:beta3
dovecotdovecot
1.0.beta7:beta7
dovecotdovecot
1.0.beta8:beta8
dovecotdovecot
1.0.rc1:rc1
dovecotdovecot
1.0.rc2:rc2
dovecotdovecot
1.0.rc3:rc3
dovecotdovecot
1.0.rc4:rc4
dovecotdovecot
1.0.rc5:rc5
dovecotdovecot
1.0.rc6:rc6
dovecotdovecot
1.0.rc7:rc7
dovecotdovecot
1.0.rc8:rc8
dovecotdovecot
1.0.rc9:rc9
dovecotdovecot
1.0.rc10:rc10
dovecotdovecot
1.0.rc11:rc11
dovecotdovecot
1.0.rc12:rc12
dovecotdovecot
1.0.rc13:rc13
dovecotdovecot
1.0.rc14:rc14
dovecotdovecot
1.0.rc15:rc15
dovecotdovecot
1.0_rc29:_rc29
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dovecot
bookworm
1:2.3.19.1+dfsg1-2.1+deb12u1
fixed
bookworm (security)
1:2.3.19.1+dfsg1-2.1+deb12u1
fixed
bullseye
1:2.3.13+dfsg1-2+deb11u1
fixed
bullseye (security)
1:2.3.13+dfsg1-2+deb11u2
fixed
sid
1:2.3.21.1+dfsg1-1
fixed
trixie
1:2.3.21.1+dfsg1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dovecot
dapper
Fixed 1.0.beta3-3ubuntu5.6
released
edgy
Fixed 1.0.rc2-1ubuntu2.3
released
feisty
Fixed 1.0.rc17-1ubuntu2.3
released
gutsy
Fixed 1:1.0.5-1ubuntu2.2
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html
http://secunia.com/advisories/29226
http://secunia.com/advisories/29385
http://secunia.com/advisories/29396
http://secunia.com/advisories/29557
http://secunia.com/advisories/30342
http://secunia.com/advisories/32151
http://security.gentoo.org/glsa/glsa-200803-25.xml
http://www.debian.org/security/2008/dsa-1516
http://www.dovecot.org/list/dovecot-news/2008-March/000061.html
http://www.redhat.com/support/errata/RHSA-2008-0297.html
http://www.securityfocus.com/archive/1/489133/100/0/threaded
http://www.securityfocus.com/bid/28092
https://exchange.xforce.ibmcloud.com/vulnerabilities/41009
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739
https://usn.ubuntu.com/593-1/
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html
http://secunia.com/advisories/29226
http://secunia.com/advisories/29385
http://secunia.com/advisories/29396
http://secunia.com/advisories/29557
http://secunia.com/advisories/30342
http://secunia.com/advisories/32151
http://security.gentoo.org/glsa/glsa-200803-25.xml
http://www.debian.org/security/2008/dsa-1516
http://www.dovecot.org/list/dovecot-news/2008-March/000061.html
http://www.redhat.com/support/errata/RHSA-2008-0297.html
http://www.securityfocus.com/archive/1/489133/100/0/threaded
http://www.securityfocus.com/bid/28092
https://exchange.xforce.ibmcloud.com/vulnerabilities/41009
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739
https://usn.ubuntu.com/593-1/
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html