CVE-2010-3706

plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving the private namespace of a user, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:P/I:P/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 59%
VendorProductVersion
dovecotdovecot
1.2.0
dovecotdovecot
1.2.1
dovecotdovecot
1.2.2
dovecotdovecot
1.2.3
dovecotdovecot
1.2.4
dovecotdovecot
1.2.5
dovecotdovecot
1.2.6
dovecotdovecot
1.2.7
dovecotdovecot
1.2.8
dovecotdovecot
1.2.9
dovecotdovecot
1.2.10
dovecotdovecot
1.2.11
dovecotdovecot
1.2.12
dovecotdovecot
1.2.13
dovecotdovecot
1.2.14
dovecotdovecot
2.0.0
dovecotdovecot
2.0.1
dovecotdovecot
2.0.2
dovecotdovecot
2.0.3
dovecotdovecot
2.0.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dovecot
bullseye
1:2.3.13+dfsg1-2+deb11u1
fixed
lenny
not-affected
bullseye (security)
1:2.3.13+dfsg1-2+deb11u2
fixed
bookworm
1:2.3.19.1+dfsg1-2.1+deb12u1
fixed
bookworm (security)
1:2.3.19.1+dfsg1-2.1+deb12u1
fixed
sid
1:2.3.21.1+dfsg1-1
fixed
trixie
1:2.3.21.1+dfsg1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dovecot
maverick
Fixed 1:1.2.12-1ubuntu8.1
released
lucid
Fixed 1:1.2.9-1ubuntu6.3
released
karmic
not-affected
jaunty
ignored
hardy
not-affected
dapper
not-affected
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html
http://marc.info/?l=oss-security&m=128620520732377&w=2
http://marc.info/?l=oss-security&m=128622064325688&w=2
http://secunia.com/advisories/43220
http://www.dovecot.org/list/dovecot/2010-October/053450.html
http://www.dovecot.org/list/dovecot/2010-October/053451.html
http://www.dovecot.org/list/dovecot/2010-October/053452.html
http://www.mandriva.com/security/advisories?name=MDVSA-2010:217
http://www.ubuntu.com/usn/USN-1059-1
http://www.vupen.com/english/advisories/2010/2572
http://www.vupen.com/english/advisories/2010/2840
http://www.vupen.com/english/advisories/2011/0301
http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html
http://marc.info/?l=oss-security&m=128620520732377&w=2
http://marc.info/?l=oss-security&m=128622064325688&w=2
http://secunia.com/advisories/43220
http://www.dovecot.org/list/dovecot/2010-October/053450.html
http://www.dovecot.org/list/dovecot/2010-October/053451.html
http://www.dovecot.org/list/dovecot/2010-October/053452.html
http://www.mandriva.com/security/advisories?name=MDVSA-2010:217
http://www.ubuntu.com/usn/USN-1059-1
http://www.vupen.com/english/advisories/2010/2572
http://www.vupen.com/english/advisories/2010/2840
http://www.vupen.com/english/advisories/2011/0301