Vulnerability Details : CVE-2009-3897
Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.
Products affected by CVE-2009-3897
- cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-3897
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-3897
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.6
|
MEDIUM | AV:L/AC:L/Au:N/C:P/I:P/A:P |
3.9
|
6.4
|
NIST | |
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST | 2024-02-08 |
CWE ids for CVE-2009-3897
-
Assigned by: nvd@nist.gov (Primary)
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-3897
-
http://secunia.com/advisories/37443
About Secunia Research | FlexeraBroken Link;Vendor Advisory
-
http://marc.info/?l=oss-security&m=125900271508796&w=2
'Re: [oss-security] CVE Request - Dovecot - 1.2.8' - MARCMailing List
-
http://www.securityfocus.com/bid/37084
Broken Link;Patch;Third Party Advisory;VDB Entry
-
http://marc.info/?l=oss-security&m=125900267208712&w=2
'Re: [oss-security] CVE request: v1.2.8 released to fix the 0777' - MARCMailing List;Patch
-
http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:001Mailing List
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/54363
Dovecot base_dir privilege escalation CVE-2009-3897 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://www.vupen.com/english/advisories/2009/3306
Webmail: access your OVH emails on ovhcloud.com | OVHcloudPatch;Permissions Required;Vendor Advisory
-
http://marc.info/?l=oss-security&m=125881481222441&w=2
'[oss-security] CVE Request - Dovecot - 1.2.8' - MARCMailing List
-
http://www.mandriva.com/security/advisories?name=MDVSA-2009:306
MandrivaNot Applicable
-
http://www.dovecot.org/list/dovecot-news/2009-November/000143.html
[Dovecot-news] v1.2.8 releasedMailing List;Patch;Vendor Advisory
-
http://www.osvdb.org/60316
404 Not FoundBroken Link
-
http://marc.info/?l=oss-security&m=125871729029145&w=2
'[oss-security] CVE request: v1.2.8 released to fix the 0777 base_dir creation issue' - MARCMailing List;Patch
Jump to