Vulnerability Details : CVE-2008-5301
Directory traversal vulnerability in the ManageSieve implementation in Dovecot 1.0.15, 1.1, and 1.2 allows remote attackers to read and modify arbitrary .sieve files via a ".." (dot dot) in a script name.
Vulnerability category: Directory traversal
Products affected by CVE-2008-5301
- cpe:2.3:a:dovecot:dovecot:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:0.99.13:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:0.99.14:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:1.1.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2008-5301
0.57%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 66 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2008-5301
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST |
CWE ids for CVE-2008-5301
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2008-5301
-
Red Hat 2008-12-02Not vulnerable. This issue did not affect the versions of dovecot as shipped with Red Hat Enterprise Linux 4, or 5. Those packages do not include ManageSieve server.
References for CVE-2008-5301
-
http://secunia.com/advisories/36904
About Secunia Research | Flexera
-
http://www.ubuntu.com/usn/USN-838-1
USN-838-1: Dovecot vulnerabilities | Ubuntu security notices | Ubuntu
-
http://www.securityfocus.com/bid/32582
-
http://www.vupen.com/english/advisories/2008/3190
Site en construction
-
http://www.dovecot.org/list/dovecot/2008-November/035259.html
[Dovecot] ManageSieve SECURITY hole: virtual users can edit scripts of other virtual users (all versions)Patch
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/46672
ManageSieve .sieve directory traversal CVE-2008-5301 Vulnerability Report
-
http://secunia.com/advisories/32768
About Secunia Research | FlexeraVendor Advisory
Jump to