CVE-2008-4577

EUVD-2008-4557
The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
Affected Products (NVD)
VendorProductVersion
dovecotdovecot
𝑥
< 1.1.4
opensuseopensuse
10.3-11.1
canonicalubuntu_linux
8.04
canonicalubuntu_linux
8.10
canonicalubuntu_linux
9.04
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dovecot
bookworm
1:2.3.19.1+dfsg1-2.1+deb12u1
fixed
bookworm (security)
1:2.3.19.1+dfsg1-2.1+deb12u1
fixed
bullseye
1:2.3.13+dfsg1-2+deb11u1
fixed
bullseye (security)
1:2.3.13+dfsg1-2+deb11u2
fixed
etch
no-dsa
sid
1:2.3.21.1+dfsg1-1
fixed
trixie
1:2.3.21.1+dfsg1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dovecot
dapper
not-affected
gutsy
ignored
hardy
Fixed 1:1.0.10-1ubuntu5.2
released
intrepid
not-affected
jaunty
not-affected
Common Weakness Enumeration
References
http://bugs.gentoo.org/show_bug.cgi?id=240409
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
http://secunia.com/advisories/32164
http://secunia.com/advisories/32471
http://secunia.com/advisories/33149
http://secunia.com/advisories/33624
http://secunia.com/advisories/36904
http://security.gentoo.org/glsa/glsa-200812-16.xml
http://www.dovecot.org/list/dovecot-news/2008-October/000085.html
http://www.mandriva.com/security/advisories?name=MDVSA-2008:232
http://www.redhat.com/support/errata/RHSA-2009-0205.html
http://www.securityfocus.com/bid/31587
http://www.ubuntu.com/usn/USN-838-1
http://www.vupen.com/english/advisories/2008/2745
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html
http://bugs.gentoo.org/show_bug.cgi?id=240409
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
http://secunia.com/advisories/32164
http://secunia.com/advisories/32471
http://secunia.com/advisories/33149
http://secunia.com/advisories/33624
http://secunia.com/advisories/36904
http://security.gentoo.org/glsa/glsa-200812-16.xml
http://www.dovecot.org/list/dovecot-news/2008-October/000085.html
http://www.mandriva.com/security/advisories?name=MDVSA-2008:232
http://www.redhat.com/support/errata/RHSA-2009-0205.html
http://www.securityfocus.com/bid/31587
http://www.ubuntu.com/usn/USN-838-1
http://www.vupen.com/english/advisories/2008/2745
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html