CVE-2008-2667 : SQL injection vulnerability in the Courier Authentication Library (aka courier-a

SQL injection vulnerability in the Courier Authentication Library (aka courier-authlib) before 0.60.6 on SUSE openSUSE 10.3 and 11.0, and other platforms, when MySQL and a non-Latin character set are used, allows remote attackers to execute arbitrary SQL commands via the username and unspecified other vectors.

Published 2008-07-07 23:41:00

Updated 2025-04-09 00:30:58

Source MITRE

View at NVD, CVE.org

Vulnerability category: Sql Injection

Products affected by CVE-2008-2667

Courier-mta » Courtier-authlib » Version: 0.60.4
cpe:2.3:a:courier-mta:courtier-authlib:0.60.4:*:*:*:*:*:*:*
Matching versions
When used together with: Suse » Open Suse » Version: 10.3
When used together with: Suse » Open Suse » Version: 11.0
Courier-mta » Courtier-authlib » Version: 0.60.3
cpe:2.3:a:courier-mta:courtier-authlib:0.60.3:*:*:*:*:*:*:*
Matching versions
When used together with: Suse » Open Suse » Version: 10.3
When used together with: Suse » Open Suse » Version: 11.0
Courier-mta » Courtier-authlib » Version: 0.58
cpe:2.3:a:courier-mta:courtier-authlib:0.58:*:*:*:*:*:*:*
Matching versions
When used together with: Suse » Open Suse » Version: 10.3
When used together with: Suse » Open Suse » Version: 11.0
Courier-mta » Courtier-authlib » Version: 0.57
cpe:2.3:a:courier-mta:courtier-authlib:0.57:*:*:*:*:*:*:*
Matching versions
When used together with: Suse » Open Suse » Version: 10.3
When used together with: Suse » Open Suse » Version: 11.0
Courier-mta » Courtier-authlib » Version: 0.60
cpe:2.3:a:courier-mta:courtier-authlib:0.60:*:*:*:*:*:*:*
Matching versions
When used together with: Suse » Open Suse » Version: 10.3
When used together with: Suse » Open Suse » Version: 11.0
Courier-mta » Courtier-authlib » Version: 0.59.3
cpe:2.3:a:courier-mta:courtier-authlib:0.59.3:*:*:*:*:*:*:*
Matching versions
When used together with: Suse » Open Suse » Version: 10.3
When used together with: Suse » Open Suse » Version: 11.0
Courier-mta » Courtier-authlib » Version: 0.59.2
cpe:2.3:a:courier-mta:courtier-authlib:0.59.2:*:*:*:*:*:*:*
Matching versions
When used together with: Suse » Open Suse » Version: 10.3
When used together with: Suse » Open Suse » Version: 11.0
Courier-mta » Courtier-authlib » Version: 0.54
cpe:2.3:a:courier-mta:courtier-authlib:0.54:*:*:*:*:*:*:*
Matching versions
When used together with: Suse » Open Suse » Version: 10.3
When used together with: Suse » Open Suse » Version: 11.0
Courier-mta » Courtier-authlib » Version: 0.53
cpe:2.3:a:courier-mta:courtier-authlib:0.53:*:*:*:*:*:*:*
Matching versions
When used together with: Suse » Open Suse » Version: 10.3
When used together with: Suse » Open Suse » Version: 11.0
Courier-mta » Courtier-authlib » Version: 0.60.2
cpe:2.3:a:courier-mta:courtier-authlib:0.60.2:*:*:*:*:*:*:*
Matching versions
When used together with: Suse » Open Suse » Version: 10.3
When used together with: Suse » Open Suse » Version: 11.0
Courier-mta » Courtier-authlib » Version: 0.60.1
cpe:2.3:a:courier-mta:courtier-authlib:0.60.1:*:*:*:*:*:*:*
Matching versions
When used together with: Suse » Open Suse » Version: 10.3
When used together with: Suse » Open Suse » Version: 11.0
Courier-mta » Courtier-authlib » Version: 0.56
cpe:2.3:a:courier-mta:courtier-authlib:0.56:*:*:*:*:*:*:*
Matching versions
When used together with: Suse » Open Suse » Version: 10.3
When used together with: Suse » Open Suse » Version: 11.0
Courier-mta » Courtier-authlib » Version: 0.55
cpe:2.3:a:courier-mta:courtier-authlib:0.55:*:*:*:*:*:*:*
Matching versions
When used together with: Suse » Open Suse » Version: 10.3
When used together with: Suse » Open Suse » Version: 11.0
Courier-mta » Courtier-authlib » Version: 0.60.5
cpe:2.3:a:courier-mta:courtier-authlib:0.60.5:*:*:*:*:*:*:*
Matching versions
When used together with: Suse » Open Suse » Version: 10.3
When used together with: Suse » Open Suse » Version: 11.0
Courier-mta » Courtier-authlib » Version: 0.59.1
cpe:2.3:a:courier-mta:courtier-authlib:0.59.1:*:*:*:*:*:*:*
Matching versions
When used together with: Suse » Open Suse » Version: 10.3
When used together with: Suse » Open Suse » Version: 11.0
Courier-mta » Courtier-authlib » Version: 0.59
cpe:2.3:a:courier-mta:courtier-authlib:0.59:*:*:*:*:*:*:*
Matching versions
When used together with: Suse » Open Suse » Version: 10.3
When used together with: Suse » Open Suse » Version: 11.0
Courier-mta » Courtier-authlib » Version: 0.52
cpe:2.3:a:courier-mta:courtier-authlib:0.52:*:*:*:*:*:*:*
Matching versions
When used together with: Suse » Open Suse » Version: 10.3
When used together with: Suse » Open Suse » Version: 11.0

Exploit prediction scoring system (EPSS) score for CVE-2008-2667

EPSS FAQ

1.58%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 80 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2008-2667

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.1	MEDIUM	AV:N/AC:H/Au:N/C:P/I:P/A:P	4.9	6.4	NIST
Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2008-2667

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2008-2667

http://bugs.gentoo.org/show_bug.cgi?id=225407

225407 – (CVE-2008-2667) net-libs/courier-authlib < 0.60.6: MySQL Non-Latin SQL injection (CVE-2008-2667)
http://security.gentoo.org/glsa/glsa-200809-05.xml

Courier Authentication Library: SQL injection vulnerability (GLSA 200809-05) — Gentoo security
http://www.nabble.com/courier-authlib-0.60.6-released-td17720739.html

Error 404 Not Found
https://exchange.xforce.ibmcloud.com/vulnerabilities/43628

Novell OpenSUSE courier-authlib SQL injection CVE-2008-2667 Vulnerability Report
http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.html

[security-announce] SUSE Security Summary Report SUSE-SR:2008:014 - openSUSE Security Announce - openSUSE Mailing Lists
Vendor Advisory

CVEs referencing this url
http://www.courier-mta.org/authlib/changelog.html

404 Not Found

CVEs referencing this url
http://secunia.com/advisories/30591

About Secunia Research | Flexera
Vendor Advisory
http://secunia.com/advisories/30967

About Secunia Research | Flexera
Vendor Advisory

CVEs referencing this url
http://www.mail-archive.com/courier-users%40lists.sourceforge.net/msg31362.html

Re: [courier-users] [Fwd: Re: authmysql vs apostrophe]
http://www.mail-archive.com/courier-users@lists.sourceforge.net/msg31362.html

Jump to

Vulnerability Details : CVE-2008-2667

Products affected by CVE-2008-2667

Exploit prediction scoring system (EPSS) score for CVE-2008-2667

CVSS scores for CVE-2008-2667

CWE ids for CVE-2008-2667

References for CVE-2008-2667