{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-03-04T00:00:00", "descriptions": [{"lang": "en", "value": "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-11T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "GLSA-200803-25", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"}, {"name": "oval:org.mitre.oval:def:10739", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739"}, {"name": "[Dovecot-news] 20080504 v1.0.11 released", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html"}, {"name": "29557", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29557"}, {"name": "20080304 Dovecot mail_extra_groups setting is often used insecurely", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded"}, {"name": "30342", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/30342"}, {"name": "RHSA-2008:0297", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"}, {"name": "DSA-1516", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2008/dsa-1516"}, {"name": "USN-593-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/593-1/"}, {"name": "FEDORA-2008-2475", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"}, {"name": "SUSE-SR:2008:020", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"}, {"name": "28092", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/28092"}, {"name": "29226", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29226"}, {"name": "32151", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/32151"}, {"name": "29385", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29385"}, {"name": "dovecot-mailextragroups-unauth-access(41009)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009"}, {"name": "FEDORA-2008-2464", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"}, {"name": "29396", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29396"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-1199", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "GLSA-200803-25", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"}, {"name": "oval:org.mitre.oval:def:10739", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739"}, {"name": "[Dovecot-news] 20080504 v1.0.11 released", "refsource": "MLIST", "url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html"}, {"name": "29557", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29557"}, {"name": "20080304 Dovecot mail_extra_groups setting is often used insecurely", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded"}, {"name": "30342", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/30342"}, {"name": "RHSA-2008:0297", "refsource": "REDHAT", "url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"}, {"name": "DSA-1516", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2008/dsa-1516"}, {"name": "USN-593-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/593-1/"}, {"name": "FEDORA-2008-2475", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"}, {"name": "SUSE-SR:2008:020", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"}, {"name": "28092", "refsource": "BID", "url": "http://www.securityfocus.com/bid/28092"}, {"name": "29226", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29226"}, {"name": "32151", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/32151"}, {"name": "29385", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29385"}, {"name": "dovecot-mailextragroups-unauth-access(41009)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009"}, {"name": "FEDORA-2008-2464", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"}, {"name": "29396", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29396"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-1199", "datePublished": "2008-03-06T21:00:00", "dateReserved": "2008-03-06T00:00:00", "dateUpdated": "2018-10-11T19:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dovecot:dovecot:0.99.13:*:*:*:*:*:*:*", "matchCriteriaId": "D0616CCF-D278-4B6D-A58B-393BCA128CF1", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:0.99.14:*:*:*:*:*:*:*", "matchCriteriaId": "D3C7BE64-7C1E-4043-A1C5-D0A7377C01A7", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "4240BD98-3C31-42CE-AF8F-045DD4BFC084", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "1C05ACA0-ED87-4DDF-94B6-8D25BE1790F1", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "8A8C0C4A-F9DB-4BB7-BFC5-BEC22C3FE40B", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "B7E00B56-A1E5-4261-8349-37654AA9FB64", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "E66427AA-A9D4-413F-8354-EA61407307C1", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "D74BE6C7-114D-4885-8472-FFE71C817B8A", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "4A349510-4D00-4978-93D9-3F9F5E0CD8DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "B65B9EFD-1531-463C-992E-F0F16AABF9C3", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "34BA7146-5793-44F4-9569-9D868FE6E325", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.10:*:*:*:*:*:*:*", "matchCriteriaId": "B5078363-6B42-491B-A219-F8D8A86132BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta2:*:*:*:*:*:*:*", "matchCriteriaId": "9D680474-C329-4DD0-B4EA-2406E27EC474", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta3:*:*:*:*:*:*:*", "matchCriteriaId": "165A0D0B-C6B0-431F-BF36-223A27CD6A42", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta7:*:*:*:*:*:*:*", "matchCriteriaId": "99268D48-CF82-450B-A033-D87AF4109531", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.beta8:*:*:*:*:*:*:*", "matchCriteriaId": "B2E09737-8107-45C0-BFF1-FB4CF81564CD", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc1:*:*:*:*:*:*:*", "matchCriteriaId": "91E74D81-DF10-423A-8549-3BB5ED02B5A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc2:*:*:*:*:*:*:*", "matchCriteriaId": "07D6853E-7E81-443D-8806-C8469217F55C", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc3:*:*:*:*:*:*:*", "matchCriteriaId": "D1BE4B6A-47A2-457B-B6B8-8FE5C2026A11", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc4:*:*:*:*:*:*:*", "matchCriteriaId": "7382F655-9B27-443D-9397-346FBEADEFDA", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc5:*:*:*:*:*:*:*", "matchCriteriaId": "6F180045-A0DA-40A3-AD3E-F3402FB6456A", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc6:*:*:*:*:*:*:*", "matchCriteriaId": "C1A2FFE7-D008-47B4-80E7-AEC176918E06", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc7:*:*:*:*:*:*:*", "matchCriteriaId": "8C840337-7B31-476B-BBCD-65F4899925E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc8:*:*:*:*:*:*:*", "matchCriteriaId": "545EF2F5-9BAE-4612-9958-70A5413818A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc9:*:*:*:*:*:*:*", "matchCriteriaId": "E80096F8-46D9-42E3-8CDB-99ADA2CBD970", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc10:*:*:*:*:*:*:*", "matchCriteriaId": "9E504866-3429-4A4C-8278-5C2753D356C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc11:*:*:*:*:*:*:*", "matchCriteriaId": "30857130-636F-4719-9F1E-8F6369F40DAC", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc12:*:*:*:*:*:*:*", "matchCriteriaId": "9843D7CE-4723-4200-AFD4-5B31545A287E", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc13:*:*:*:*:*:*:*", "matchCriteriaId": "54AF1D92-D89B-4DE4-9D47-72466873A4C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc14:*:*:*:*:*:*:*", "matchCriteriaId": "64A8FCA5-1666-48F7-9689-37D9315813F7", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.rc15:*:*:*:*:*:*:*", "matchCriteriaId": "D4D517F3-F0A8-4362-89B9-0ED63515283F", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0_rc29:*:*:*:*:*:*:*", "matchCriteriaId": "3AAE9E7C-49CC-48C3-B47C-CDC5802356A7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack."}, {"lang": "es", "value": "Dovecot antes de 1.0.11, cuando se configura para utilizar mail_extra_groups para permitir a Dovecot crear dotlocks en /var/mail, podr\u00eda permitir a usuarios locales leer archivos de mail sensibles para otros usuarios, o modificar archivos o directorios que sean escribibles por el grupo, a trav\u00e9s de un ataque de enlaces simb\u00f3licos."}], "id": "CVE-2008-1199", "lastModified": "2018-10-11T20:30:05.493", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2008-03-06T21:44:00.000", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/29226"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/29385"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/29396"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/29557"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/30342"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/32151"}, {"source": "cve@mitre.org", "url": "http://security.gentoo.org/glsa/glsa-200803-25.xml"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2008/dsa-1516"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.dovecot.org/list/dovecot-news/2008-March/000061.html"}, {"source": "cve@mitre.org", "url": "http://www.redhat.com/support/errata/RHSA-2008-0297.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/489133/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/28092"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41009"}, {"source": "cve@mitre.org", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10739"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/593-1/"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00358.html"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00381.html"}], "sourceIdentifier": "cve@mitre.org", "vendorComments": [{"comment": "Red Hat is aware of this issue and is tracking it via the following bug:\nhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1199\n\nThis issue does not affect the default configuration of Dovecot as shipped in Red Hat Enterprise Linux.\n\nThe Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. \n\nAn update to Red Hat Enterprise Linux 5 was released to correct this issue:\nhttps://rhn.redhat.com/errata/RHSA-2008-0297.html\n", "lastModified": "2008-05-21T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-16"}, {"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}