Description
Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.
References (12)
Core 12
Core References
Broken Link, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/37443
Broken Link vdb-entry
x_refsource_osvdb
http://www.osvdb.org/60316
Mailing List mailing-list
x_refsource_mlist
http://marc.info/?l=oss-security&m=125881481222441&w=2
Mailing List, Patch, Vendor Advisory mailing-list
x_refsource_mlist
http://www.dovecot.org/list/dovecot-news/2009-November/000143.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html
Patch, Permissions Required, Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3306
Mailing List, Patch mailing-list
x_refsource_mlist
http://marc.info/?l=oss-security&m=125900267208712&w=2
Mailing List, Patch mailing-list
x_refsource_mlist
http://marc.info/?l=oss-security&m=125871729029145&w=2
Broken Link, Patch, Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/37084
Not Applicable vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:306
Mailing List mailing-list
x_refsource_mlist
http://marc.info/?l=oss-security&m=125900271508796&w=2
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/54363
Scores
CVSS v3
5.5
EPSS
0.0008
EPSS Percentile
24.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-732
Status
published
Products (1)
dovecot/dovecot
1.2.0 - 1.2.8
Published
Nov 24, 2009
Tracked Since
Feb 18, 2026