CVE-2008-4577 — Incorrect Authorization in Dovecot

CWE-863 — Incorrect Authorization CWE-285 — Improper Authorization CWE-862 — Missing Authorization10 documents8 sources

Severity

7.5HIGHNVD

EPSS

1.1%

top 21.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Debian Dovecot Canonical Ubuntu Linux +2 more

Timeline

PublishedOct 15

Latest updateMay 2

Description

The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/dovecot< dovecot 1:1.0.15-2.2 (bookworm)

▶NVDdovecot/dovecot< 1.1.4

▶Debiandovecot/dovecot< 1:1.0.15-2.2+3

▶NVDopensuse/opensuse10.3-11.1

Also affects: Fedora 8, 9, Ubuntu Linux 8.04, 8.10, 9.04

🔴Vulnerability Details

GHSA

GHSA-24jq-h48j-g592: The ACL plugin in Dovecot before 1↗2022-05-02

▶

OSV

CVE-2008-4577: The ACL plugin in Dovecot before 1↗2008-10-15

▶

📋Vendor Advisories

Ubuntu

Dovecot vulnerabilities↗2009-09-28

▶

Red Hat

dovecot: incorrect handling of negative rights in the ACL plugin↗2008-10-05

▶

Debian

CVE-2008-4577: dovecot - The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they ...↗2008

▶

📐Framework References

CWE

Incorrect Authorization↗

▶

CWE

Improper Authorization↗

▶

CWE

Missing Authorization↗

▶

💬Community

Bugzilla

CVE-2008-4577 dovecot: incorrect handling of negative rights in the ACL plugin↗2008-10-17

▶