Vulnerability Details : CVE-2008-2937
Postfix 2.5 before 2.5.4 and 2.6 before 2.6-20080814 delivers to a mailbox file even when this file is not owned by the recipient, which allows local users to read e-mail messages by creating a mailbox file corresponding to another user's account name.
Vulnerability category: Information leak
Products affected by CVE-2008-2937
- cpe:2.3:a:postfix:postfix:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:postfix:postfix:2.5.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2008-2937
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 8 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2008-2937
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
1.9
|
LOW | AV:L/AC:M/Au:N/C:P/I:N/A:N |
3.4
|
2.9
|
NIST |
CWE ids for CVE-2008-2937
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2008-2937
-
Red Hat 2008-08-19Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=456347 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
References for CVE-2008-2937
-
https://issues.rpath.com/browse/RPL-2689
-
http://wiki.rpath.com/Advisories:rPSA-2008-0259
-
http://www.mandriva.com/security/advisories?name=MDVSA-2009:224
Mandriva
-
http://www.redhat.com/support/errata/RHSA-2011-0422.html
Support
-
ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.5.4.HISTORY
-
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
Juniper Networks - 2015-10 Security Bulletin: CTPView: Multiple Vulnerabilities in CTPView
-
http://www.securityfocus.com/archive/1/495632/100/0/threaded
-
http://security.gentoo.org/glsa/glsa-200808-12.xml
Postfix: Local privilege escalation vulnerability (GLSA 200808-12) — Gentoo security
-
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00002.html
[security-announce] SUSE Security Announcement: postfix (SUSE-SA:2008:040) - openSUSE Security Announce - openSUSE Mailing Lists
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/44461
Postfix email information disclosure CVE-2008-2937 Vulnerability Report
-
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00271.html
[SECURITY] Fedora 8 Update: postfix-2.5.5-1.fc8
-
ftp://ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-2.6-20080814.HISTORY
-
http://www.securityfocus.com/bid/30691
Patch
-
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00287.html
[SECURITY] Fedora 9 Update: postfix-2.5.5-1.fc9
-
http://www.vupen.com/english/advisories/2008/2385
Site en construction
Jump to