CVE-2008-1199 — Link Following in Dovecot

CWE-16 CWE-59 — Link Following7 documents7 sources

Severity

4.4MEDIUMNVD

EPSS

0.0%

top 89.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Debian Dovecot

Timeline

PublishedMar 6

Latest updateMay 1

Description

Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack.

CVSS vector

AV:L/AC:M/C:P/I:P/A:PExploitability: 3.4 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/dovecot< dovecot 1:1.0.12-1 (bookworm)

▶Debiandovecot/dovecot< 1:1.0.12-1+3

▶NVDdovecot/dovecot32 versions+31

Patches

Patch: www.dovecot.org ↗Patch: www.securityfocus.com ↗Patch: www.dovecot.org ↗

🔴Vulnerability Details

GHSA

GHSA-778f-c3r9-6vmp: Dovecot before 1↗2022-05-01

▶

OSV

CVE-2008-1199: Dovecot before 1↗2008-03-06

▶

📋Vendor Advisories

Ubuntu

Dovecot vulnerabilities↗2008-03-26

▶

Red Hat

dovecot: insecure mail_extra_groups option↗2008-03-04

▶

Debian

CVE-2008-1199: dovecot - Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot...↗2008

▶

💬Community

Bugzilla

CVE-2008-1199 dovecot: insecure mail_extra_groups option↗2008-03-11

▶