Vulnerability Details : CVE-2008-4577
The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.
Exploit prediction scoring system (EPSS) score for CVE-2008-4577
Probability of exploitation activity in the next 30 days: 0.33%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 68 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2008-4577
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2008-4577
-
Assigned by: nvd@nist.gov (Primary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Assigned by: nvd@nist.gov (Primary)
References for CVE-2008-4577
-
http://security.gentoo.org/glsa/glsa-200812-16.xml
Dovecot: Multiple vulnerabilities (GLSA 200812-16) — Gentoo securityThird Party Advisory
-
http://www.securityfocus.com/bid/31587
Broken Link;Third Party Advisory;VDB Entry
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376
404 Not FoundBroken Link
-
http://secunia.com/advisories/36904
About Secunia Research | FlexeraBroken Link
-
http://www.ubuntu.com/usn/USN-838-1
USN-838-1: Dovecot vulnerabilities | Ubuntu security notices | UbuntuThird Party Advisory
-
http://bugs.gentoo.org/show_bug.cgi?id=240409
240409 – (CVE-2008-4577) net-mail/dovecot < 1.1.4 acl_plugin privilege escalation (CVE-2008-4577,CVE-2008-4578)Issue Tracking
-
http://www.vupen.com/english/advisories/2008/2745
Webmail: access your OVH emails on ovhcloud.com | OVHcloudPermissions Required
-
http://www.redhat.com/support/errata/RHSA-2009-0205.html
SupportBroken Link
-
http://secunia.com/advisories/32471
About Secunia Research | FlexeraBroken Link
-
http://secunia.com/advisories/32164
About Secunia Research | FlexeraBroken Link;Vendor Advisory
-
http://secunia.com/advisories/33149
About Secunia Research | FlexeraBroken Link
-
http://www.dovecot.org/list/dovecot-news/2008-October/000085.html
[Dovecot-news] v1.1.4 releasedMailing List;Release Notes
-
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html
[SECURITY] Fedora 8 Update: dovecot-1.0.15-14.fc8Mailing List
-
http://secunia.com/advisories/33624
About Secunia Research | FlexeraBroken Link
-
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2009:004 - openSUSE Security Announce - openSUSE Mailing ListsMailing List
-
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html
[SECURITY] Fedora 9 Update: dovecot-1.0.15-14.fc9Mailing List
-
http://www.mandriva.com/security/advisories?name=MDVSA-2008:232
MandrivaBroken Link
Products affected by CVE-2008-4577
- cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
- cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:10.3-11.1:*:*:*:*:*:*:*