CVE-2009-3897

MEDIUM

Dovecot <1.2.8 - Privilege Escalation

Title source: llm

Description

Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.

References (12)

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html

[Mailing List, Patch] http://marc.info/?l=oss-security&m=125871729029145&w=2

[Mailing List] http://marc.info/?l=oss-security&m=125881481222441&w=2

[Mailing List, Patch] http://marc.info/?l=oss-security&m=125900267208712&w=2

[Mailing List] http://marc.info/?l=oss-security&m=125900271508796&w=2

[Broken Link, Vendor Advisory] http://secunia.com/advisories/37443

[Mailing List, Patch, Vendor Advisory] http://www.dovecot.org/list/dovecot-news/2009-November/000143.html

[Not Applicable] http://www.mandriva.com/security/advisories?name=MDVSA-2009:306

[Broken Link] http://www.osvdb.org/60316

[Broken Link, Patch, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/37084

[Patch, Permissions Required, Vendor Advisory] http://www.vupen.com/english/advisories/2009/3306

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/54363

Scores

CVSS v3 5.5

EPSS 0.0008

EPSS Percentile 23.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-732

Status draft

Affected Products (1)

dovecot/dovecot < 1.2.8

Timeline

Published Nov 24, 2009

Tracked Since Feb 18, 2026