Vulnerability Details : CVE-2010-3707
plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving more specific entries that occur after less specific entries, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.
Exploit prediction scoring system (EPSS) score for CVE-2010-3707
Probability of exploitation activity in the next 30 days: 0.23%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 60 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2010-3707
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:N |
8.0
|
4.9
|
NIST |
CWE ids for CVE-2010-3707
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2010-3707
-
http://www.mandriva.com/security/advisories?name=MDVSA-2010:217
mandriva.com
-
http://marc.info/?l=oss-security&m=128620520732377&w=2
'[oss-security] CVE Request: more dovecot ACL issues' - MARC
-
http://www.vupen.com/english/advisories/2010/2572
Webmail | OVH- OVHVendor Advisory
-
http://www.dovecot.org/list/dovecot/2010-October/053452.html
[Dovecot] ACL handling bugs in v1.2.8+ and v2.0Vendor Advisory
-
http://www.dovecot.org/list/dovecot/2010-October/053451.html
[Dovecot] v2.0.5 releasedVendor Advisory
-
http://www.dovecot.org/list/dovecot/2010-October/053450.html
[Dovecot] v1.2.15 releasedVendor Advisory
-
http://marc.info/?l=oss-security&m=128622064325688&w=2
'Re: [oss-security] CVE Request: more dovecot ACL issues' - MARC
-
http://www.redhat.com/support/errata/RHSA-2011-0600.html
Support
-
http://www.vupen.com/english/advisories/2010/2840
Webmail | OVH- OVH
-
http://www.ubuntu.com/usn/USN-1059-1
USN-1059-1: Dovecot vulnerabilities | Ubuntu security notices
-
http://www.vupen.com/english/advisories/2011/0301
Webmail | OVH- OVH
-
http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:020
Products affected by CVE-2010-3707
- cpe:2.3:a:dovecot:dovecot:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.2.14:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:2.0.2:*:*:*:*:*:*:*