Vulnerability Details : CVE-2009-1631
The Mailer component in Evolution 2.26.1 and earlier uses world-readable permissions for the .evolution directory, and certain directories and files under .evolution/ related to local mail, which allows local users to obtain sensitive information by reading these files.
Products affected by CVE-2009-1631
- cpe:2.3:a:gnome:evolution:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.24:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.12:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:2.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:evolution:1.2.4:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-1631
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-1631
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST |
CWE ids for CVE-2009-1631
-
Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2009-1631
-
Red Hat 2009-12-07Red Hat does not consider this to be a security issue. By default, user home directories are created with mode 0700 permissions, which would not expose the ~/.evolution/ directory regardless of its own permissions. If a user intentionally relaxes permissions on their home directory, they should be auditing all files and directories in order to not expose unwanted files to other local users.
References for CVE-2009-1631
-
http://www.securityfocus.com/bid/34921
-
http://www.openwall.com/lists/oss-security/2009/05/12/6
oss-security - CVE Request (evolution)
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526409
#526409 - CVE-2009-1631: world-readable permissions for the .evolution directory - Debian Bug report logsExploit
-
http://bugzilla.gnome.org/show_bug.cgi?id=581604
Bug 581604 – Permissions on mail/local folders are too open
-
https://bugzilla.redhat.com/show_bug.cgi?id=498648
498648 – (CVE-2009-1631) CVE-2009-1631 evolution: insecure permissions on evolution mailbox folders
Jump to