CVE-2007-3275 - OpenCVE

MailWasher Server before 2.2.1, when used with LDAP or Active Directory (AD), does not properly handle blank passwords, which allows remote attackers to access an arbitrary user account and read the spam e-mail messages stored for that account, possibly related to the LoginCheck::doPost function in mwi/servlet/Login.cpp. NOTE: some of these details are obtained from third party information.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:C/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Mailwasher	Mailwasher Server

Configuration 1 [-]

cpe:2.3:a:mailwasher:mailwasher_server:*:*:*:*:*:*:*:*

References

Link	Resource
http://osvdb.org/37538
http://secunia.com/advisories/25695	Patch Vendor Advisory
http://sourceforge.net/project/shownotes.php?release_id=515127
http://www.securityfocus.com/bid/24507
http://www.vupen.com/english/advisories/2007/2239	Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/34925

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2007-06-19T21:00:00

Updated: 2017-07-28T12:57:01

Reserved: 2007-06-19T00:00:00

Link: CVE-2007-3275

JSON object: View

NVD Information

Status : Modified

Published: 2007-06-19T21:30:00.000

Modified: 2017-07-29T01:32:08.253

Link: CVE-2007-3275

JSON object: View

Redhat Information

No data.

CWE

CWE-255

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-06-18T00:00:00", "descriptions": [{"lang": "en", "value": "MailWasher Server before 2.2.1, when used with LDAP or Active Directory (AD), does not properly handle blank passwords, which allows remote attackers to access an arbitrary user account and read the spam e-mail messages stored for that account, possibly related to the LoginCheck::doPost function in mwi/servlet/Login.cpp. NOTE: some of these details are obtained from third party information."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "25695", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/25695"}, {"name": "37538", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/37538"}, {"name": "ADV-2007-2239", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/2239"}, {"name": "mailwasher-logincheck-unauthorized-access(34925)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34925"}, {"name": "24507", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/24507"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://sourceforge.net/project/shownotes.php?release_id=515127"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-3275", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "MailWasher Server before 2.2.1, when used with LDAP or Active Directory (AD), does not properly handle blank passwords, which allows remote attackers to access an arbitrary user account and read the spam e-mail messages stored for that account, possibly related to the LoginCheck::doPost function in mwi/servlet/Login.cpp. NOTE: some of these details are obtained from third party information."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "25695", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/25695"}, {"name": "37538", "refsource": "OSVDB", "url": "http://osvdb.org/37538"}, {"name": "ADV-2007-2239", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2007/2239"}, {"name": "mailwasher-logincheck-unauthorized-access(34925)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34925"}, {"name": "24507", "refsource": "BID", "url": "http://www.securityfocus.com/bid/24507"}, {"name": "http://sourceforge.net/project/shownotes.php?release_id=515127", "refsource": "CONFIRM", "url": "http://sourceforge.net/project/shownotes.php?release_id=515127"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-3275", "datePublished": "2007-06-19T21:00:00", "dateReserved": "2007-06-19T00:00:00", "dateUpdated": "2017-07-28T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mailwasher:mailwasher_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "D77B45EB-7ABD-45C7-9FA5-A011F351272B", "versionEndIncluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "MailWasher Server before 2.2.1, when used with LDAP or Active Directory (AD), does not properly handle blank passwords, which allows remote attackers to access an arbitrary user account and read the spam e-mail messages stored for that account, possibly related to the LoginCheck::doPost function in mwi/servlet/Login.cpp. NOTE: some of these details are obtained from third party information."}, {"lang": "es", "value": "MailWasher Server versiones anteriores a 2.2.1, cuando es usado con LDAP o Active Directory (AD), no maneja apropiadamente las contrase\u00f1as en blanco, lo que permite a atacantes remotos acceder a una cuenta de usuario arbitraria y leer los mensajes de correo electr\u00f3nico de tipo spam almacenados posiblemente relacionados con la funci\u00f3n LoginCheck::doPost en el archivo mwi/servlet/Login.cpp. NOTA: algunos de estos datos son obtenidos a partir de informaci\u00f3n de terceros."}], "evaluatorImpact": "Successful exploitation requires knowledge of a valid username and that MailWasher Server is integrated into an AD domain or LDAP repository.", "id": "CVE-2007-3275", "lastModified": "2017-07-29T01:32:08.253", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 7.1, "confidentialityImpact": "COMPLETE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-06-19T21:30:00.000", "references": [{"source": "cve@mitre.org", "url": "http://osvdb.org/37538"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://secunia.com/advisories/25695"}, {"source": "cve@mitre.org", "url": "http://sourceforge.net/project/shownotes.php?release_id=515127"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/24507"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2007/2239"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34925"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-255"}], "source": "nvd@nist.gov", "type": "Primary"}]}