CVE-2009-3897

Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 24%
VendorProductVersion
dovecotdovecot
1.2.0 ≤
𝑥
< 1.2.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dovecot
bullseye
1:2.3.13+dfsg1-2+deb11u1
fixed
lenny
not-affected
etch
not-affected
bullseye (security)
1:2.3.13+dfsg1-2+deb11u2
fixed
bookworm
1:2.3.19.1+dfsg1-2.1+deb12u1
fixed
bookworm (security)
1:2.3.19.1+dfsg1-2.1+deb12u1
fixed
sid
1:2.3.21.1+dfsg1-1
fixed
trixie
1:2.3.21.1+dfsg1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dovecot
karmic
not-affected
jaunty
not-affected
intrepid
not-affected
hardy
not-affected
dapper
not-affected
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html
http://marc.info/?l=oss-security&m=125871729029145&w=2
http://marc.info/?l=oss-security&m=125881481222441&w=2
http://marc.info/?l=oss-security&m=125900267208712&w=2
http://marc.info/?l=oss-security&m=125900271508796&w=2
http://secunia.com/advisories/37443
http://www.dovecot.org/list/dovecot-news/2009-November/000143.html
http://www.mandriva.com/security/advisories?name=MDVSA-2009:306
http://www.osvdb.org/60316
http://www.securityfocus.com/bid/37084
http://www.vupen.com/english/advisories/2009/3306
https://exchange.xforce.ibmcloud.com/vulnerabilities/54363
http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html
http://marc.info/?l=oss-security&m=125871729029145&w=2
http://marc.info/?l=oss-security&m=125881481222441&w=2
http://marc.info/?l=oss-security&m=125900267208712&w=2
http://marc.info/?l=oss-security&m=125900271508796&w=2
http://secunia.com/advisories/37443
http://www.dovecot.org/list/dovecot-news/2009-November/000143.html
http://www.mandriva.com/security/advisories?name=MDVSA-2009:306
http://www.osvdb.org/60316
http://www.securityfocus.com/bid/37084
http://www.vupen.com/english/advisories/2009/3306
https://exchange.xforce.ibmcloud.com/vulnerabilities/54363