CVE-2008-1218 : Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x befor

Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass the password check via a password containing TAB characters, which are treated as argument delimiters that enable the skip_password_check field to be specified.

Published 2008-03-10 23:44:00

Updated 2018-10-11 20:30:09

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2008-1218

Dovecot » Dovecot » Update RC2
Versions up to, including, (<=) 1.1
cpe:2.3:a:dovecot:dovecot:*:rc2:*:*:*:*:*:*
Matching versions
Dovecot » Dovecot
Versions up to, including, (<=) 1.0.12
cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2008-1218

EPSS FAQ

16.66%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 94 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2008-1218

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2008-1218

CWE-255

Assigned by: nvd@nist.gov (Primary)

Vendor statements for CVE-2008-1218

Red Hat 2008-03-12

Not vulnerable. This issue did not affect versions of Dovecot as shipped with Red Hat Enterprise Linux 4 or 5.

References for CVE-2008-1218

https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html

[SECURITY] Fedora 8 Update: dovecot-1.0.13-6.fc8

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/41085

Dovecot TAB characters authentication bypass CVE-2008-1218 Vulnerability Report
http://www.securityfocus.com/archive/1/489481/100/0/threaded
http://www.dovecot.org/list/dovecot-news/2008-March/000065.html

[Dovecot-news] v1.0.13 and v1.1.rc3 released
https://issues.rpath.com/browse/RPL-2341
http://security.gentoo.org/glsa/glsa-200803-25.xml

Dovecot: Multiple vulnerabilities (GLSA 200803-25) — Gentoo security

CVEs referencing this url
http://www.debian.org/security/2008/dsa-1516

[SECURITY] [DSA 1516-1] New dovecot packages fix privilege escalation

CVEs referencing this url
http://www.securityfocus.com/bid/28181
https://www.exploit-db.com/exploits/5257

Dovecot IMAP 1.0.10 < 1.1rc2 - Remote Email Disclosure - Multiple remote Exploit
http://www.dovecot.org/list/dovecot-news/2008-March/000064.html

[Dovecot-news] Security hole #6: Some passdbs allowed users to log in without a valid password
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html

[SECURITY] Fedora 7 Update: dovecot-1.0.13-18.fc7

CVEs referencing this url
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108
https://usn.ubuntu.com/593-1/

404: Page not found | Ubuntu

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html

[security-announce] SUSE Security Summary Report: SUSE-SR:2008:020 - openSUSE Security Announce - openSUSE Mailing Lists

CVEs referencing this url