CVE-2009-1631 - OpenCVE

The Mailer component in Evolution 2.26.1 and earlier uses world-readable permissions for the .evolution directory, and certain directories and files under .evolution/ related to local mail, which allows local users to obtain sensitive information by reading these files.

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Gnome	Evolution

Configuration 1 [-]

OR	cpe:2.3:a:gnome:evolution::::::::
	cpe:2.3:a:gnome:evolution:1.0.8:::::::*
	cpe:2.3:a:gnome:evolution:1.2:::::::*
	cpe:2.3:a:gnome:evolution:1.2.1:::::::*
	cpe:2.3:a:gnome:evolution:1.2.2:::::::*
	cpe:2.3:a:gnome:evolution:1.2.3:::::::*
	cpe:2.3:a:gnome:evolution:1.2.4:::::::*
	cpe:2.3:a:gnome:evolution:1.4:::::::*
	cpe:2.3:a:gnome:evolution:1.4.3:::::::*
	cpe:2.3:a:gnome:evolution:1.4.4:::::::*
	cpe:2.3:a:gnome:evolution:1.4.5:::::::*
	cpe:2.3:a:gnome:evolution:1.4.6:::::::*
	cpe:2.3:a:gnome:evolution:2.0.0:::::::*
	cpe:2.3:a:gnome:evolution:2.0.1:::::::*
	cpe:2.3:a:gnome:evolution:2.0.2:::::::*
	cpe:2.3:a:gnome:evolution:2.4:::::::*
	cpe:2.3:a:gnome:evolution:2.6:::::::*
	cpe:2.3:a:gnome:evolution:2.12:::::::*
	cpe:2.3:a:gnome:evolution:2.24:::::::*

References

Link	Resource
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526409	Exploit
http://bugzilla.gnome.org/show_bug.cgi?id=581604
http://www.openwall.com/lists/oss-security/2009/05/12/6
http://www.securityfocus.com/bid/34921
https://bugzilla.redhat.com/show_bug.cgi?id=498648

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2009-05-14T17:00:00

Updated: 2009-05-23T09:00:00

Reserved: 2009-05-14T00:00:00

Link: CVE-2009-1631

JSON object: View

NVD Information

Status : Modified

Published: 2009-05-14T17:30:00.797

Modified: 2009-05-23T05:31:52.767

Link: CVE-2009-1631

JSON object: View

Redhat Information

No data.

CWE

CWE-264

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-05-12T00:00:00", "descriptions": [{"lang": "en", "value": "The Mailer component in Evolution 2.26.1 and earlier uses world-readable permissions for the .evolution directory, and certain directories and files under .evolution/ related to local mail, which allows local users to obtain sensitive information by reading these files."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2009-05-23T09:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526409"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=498648"}, {"tags": ["x_refsource_MISC"], "url": "http://bugzilla.gnome.org/show_bug.cgi?id=581604"}, {"name": "34921", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/34921"}, {"name": "[oss-security] 20090512 CVE Request (evolution)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2009/05/12/6"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-1631", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Mailer component in Evolution 2.26.1 and earlier uses world-readable permissions for the .evolution directory, and certain directories and files under .evolution/ related to local mail, which allows local users to obtain sensitive information by reading these files."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526409", "refsource": "MISC", "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526409"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=498648", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=498648"}, {"name": "http://bugzilla.gnome.org/show_bug.cgi?id=581604", "refsource": "MISC", "url": "http://bugzilla.gnome.org/show_bug.cgi?id=581604"}, {"name": "34921", "refsource": "BID", "url": "http://www.securityfocus.com/bid/34921"}, {"name": "[oss-security] 20090512 CVE Request (evolution)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2009/05/12/6"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-1631", "datePublished": "2009-05-14T17:00:00", "dateReserved": "2009-05-14T00:00:00", "dateUpdated": "2009-05-23T09:00:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnome:evolution:*:*:*:*:*:*:*:*", "matchCriteriaId": "0DAA1168-4962-46F2-BEF1-BCB537D154E0", "versionEndIncluding": "2.26.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:evolution:1.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "B10AA832-0C56-4447-BAAB-D6D1F56D59DA", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:evolution:1.2:*:*:*:*:*:*:*", "matchCriteriaId": "6D9FBE67-2901-426F-9CA6-70022077B2EA", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:evolution:1.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "B11C791D-6E3D-4C96-B5CE-A82D870F61D9", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:evolution:1.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "38225EC0-5966-4316-B45E-AB1BD4BB5328", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:evolution:1.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "D3EBC9CD-DFBF-40E1-8F28-F64E27E8EBD8", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:evolution:1.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "101552BA-C509-4767-901B-279C3B0C21F2", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:evolution:1.4:*:*:*:*:*:*:*", "matchCriteriaId": "A3FBC98A-111A-4E78-AAA5-CF76B7B32D36", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:evolution:1.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "DA12263C-AD34-405E-B27B-6536DFD77093", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:evolution:1.4.4:*:*:*:*:*:*:*", "matchCriteriaId": "180B84B3-8AF2-4C0F-BB49-789D4C403B36", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:evolution:1.4.5:*:*:*:*:*:*:*", "matchCriteriaId": "E1E9C9CC-FDEB-45C4-AF92-D3AE7DFEFB3E", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:evolution:1.4.6:*:*:*:*:*:*:*", "matchCriteriaId": "44F21156-9E93-4936-B16F-1C243B937C98", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:evolution:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "29AB66CF-0B1B-4762-A596-4FC451977D70", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:evolution:2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "600F1CB5-B0F8-443C-A25D-34B335931494", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:evolution:2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "7A7A5DBB-9259-4F0F-A7EA-A4E96D7B2C46", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:evolution:2.4:*:*:*:*:*:*:*", "matchCriteriaId": "4CA640B6-B155-4503-BB05-4F17E6A71D96", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:evolution:2.6:*:*:*:*:*:*:*", "matchCriteriaId": "40C26725-D869-49B0-8405-4472E1639799", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:evolution:2.12:*:*:*:*:*:*:*", "matchCriteriaId": "2160DB09-250B-4BB4-A77D-79326EB9969C", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnome:evolution:2.24:*:*:*:*:*:*:*", "matchCriteriaId": "854DCABF-696A-4800-8B92-5CCB8F1B5333", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Mailer component in Evolution 2.26.1 and earlier uses world-readable permissions for the .evolution directory, and certain directories and files under .evolution/ related to local mail, which allows local users to obtain sensitive information by reading these files."}, {"lang": "es", "value": "El componente Mailer en Evolution v2.26.1 y versiones anteriores utiliza permisos de lectura para todos para el directorio .evolution, y determinados directorios y ficheros bajo .evolution/ relacionados con el correo local, lo cual permite a usuarios locales obtener informaci\u00f3n sensible a trav\u00e9s de la lectura de esos ficheros."}], "id": "CVE-2009-1631", "lastModified": "2009-05-23T05:31:52.767", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-05-14T17:30:00.797", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526409"}, {"source": "cve@mitre.org", "url": "http://bugzilla.gnome.org/show_bug.cgi?id=581604"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2009/05/12/6"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/34921"}, {"source": "cve@mitre.org", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=498648"}], "sourceIdentifier": "cve@mitre.org", "vendorComments": [{"comment": "Red Hat does not consider this to be a security issue. By default, user home directories are created with mode 0700 permissions, which would not expose the ~/.evolution/ directory regardless of its own permissions.\n\nIf a user intentionally relaxes permissions on their home directory, they should be auditing all files and directories in order to not expose unwanted files to other local users.", "lastModified": "2009-12-07T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}