VRDA Feed by JPCERT/CC
  Vulnerability Response Decision Assistance Feed : Information for vulnerability impact analysis
[ about VRDA Feed | JPCERT/CC



 
Vulnerability Analysis Result (Revision No : 1) [ Download XML
CVE-2010-3707
dovecot: plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x be...
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3707

Original

plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving more specific entries that occur after less specific entries, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.

Translation   (Show)





About This Analysis Information
Analysis Information Provider:
NIST NVD
First Published:
2010-10-06
Source Information Category:
Advisory, Alert
Last Updated:
2010-10-07




Affected Product Tags
cpe:/a:dovecot:dovecot:1.2.0
cpe:/a:dovecot:dovecot:1.2.1
cpe:/a:dovecot:dovecot:1.2.10
cpe:/a:dovecot:dovecot:1.2.11
cpe:/a:dovecot:dovecot:1.2.12
cpe:/a:dovecot:dovecot:1.2.13
cpe:/a:dovecot:dovecot:1.2.14
cpe:/a:dovecot:dovecot:1.2.2
cpe:/a:dovecot:dovecot:1.2.3
cpe:/a:dovecot:dovecot:1.2.4
cpe:/a:dovecot:dovecot:1.2.5
cpe:/a:dovecot:dovecot:1.2.6
cpe:/a:dovecot:dovecot:1.2.7
cpe:/a:dovecot:dovecot:1.2.8
cpe:/a:dovecot:dovecot:1.2.9
cpe:/a:dovecot:dovecot:2.0.0
cpe:/a:dovecot:dovecot:2.0.1
cpe:/a:dovecot:dovecot:2.0.2
cpe:/a:dovecot:dovecot:2.0.3
cpe:/a:dovecot:dovecot:2.0.4
 


Vulnerability Analysis Results
[Access Vector]  [?]
Undefined [?]

Local [?]
Adjacent Network [?]
X Network [?]
[Access Complexit]  [?]
Undefined [?]

High [?]
Medium [?]
X Low [?]
[Authentication]  [?]
Undefined [?]

Multiple [?]
X Single [?]
None [?]
[Confidentiality Impact]  [?]
Undefined [?]

None [?]
X Partial [?]
Complete [?]
[Integrity Impact]  [?]
Undefined [?]

None [?]
X Partial [?]
Complete [?]
[Availability Impact]  [?]
Undefined [?]

X None [?]
Partial [?]
Complete [?]
Alternatives




References
MLIST [dovecot] 20101002 ACL handling bugs in v1.2.8+ and v2.0




MLIST [dovecot] 20101002 v2.0.5 released




MLIST [dovecot] 20101002 v1.2.15 released




MLIST [oss-security] 20101004 Re: CVE Request: more dovecot ACL issues




MLIST [oss-security] 20101004 CVE Request: more dovecot ACL issues




VUPEN ADV-2010-2572




Vulnerability Type Permissions, Privileges, and Access Control (CWE-264)




Copyright © 2010 JPCERT/CC All Rights Reserved.