Vulnerability Details : CVE-2008-4578
The ACL plugin in Dovecot before 1.1.4 allows attackers to bypass intended access restrictions by using the "k" right to create unauthorized "parent/child/child" mailboxes.
Products affected by CVE-2008-4578
- cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.beta4:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.beta5:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc11:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc12:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc2:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc20:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc27:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc28:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc9:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.beta2:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.beta3:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc1:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc10:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc18:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc19:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc25:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc26:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc7:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc8:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.beta6:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.beta7:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc13:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc14:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc15:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc21:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc22:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc3:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc4:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.beta1:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.beta8:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.beta9:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc16:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc17:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc23:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc24:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc5:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.rc6:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0_rc29:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:0.99.13:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:0.99.14:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.1.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2008-4578
0.76%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2008-4578
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2008-4578
-
Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2008-4578
-
Red Hat 2008-10-24The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 5.
References for CVE-2008-4578
-
http://security.gentoo.org/glsa/glsa-200812-16.xml
Dovecot: Multiple vulnerabilities (GLSA 200812-16) — Gentoo security
-
http://www.securityfocus.com/bid/31587
-
http://bugs.gentoo.org/show_bug.cgi?id=240409
240409 – (CVE-2008-4577) net-mail/dovecot < 1.1.4 acl_plugin privilege escalation (CVE-2008-4577,CVE-2008-4578)
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/45669
Dovecot ACL mailbox security bypass CVE-2008-4578 Vulnerability Report
-
http://www.vupen.com/english/advisories/2008/2745
Webmail: access your OVH emails on ovhcloud.com | OVHcloud
-
http://secunia.com/advisories/32164
About Secunia Research | FlexeraVendor Advisory
-
http://secunia.com/advisories/33149
About Secunia Research | Flexera
-
http://www.dovecot.org/list/dovecot-news/2008-October/000085.html
[Dovecot-news] v1.1.4 releasedPatch
-
http://www.securityfocus.com/archive/1/498498/100/0/threaded
-
http://www.mandriva.com/security/advisories?name=MDVSA-2008:232
Mandriva
Jump to