CVE-2008-4870 — Incorrect Permission Assignment in Dovecot

CWE-732 — Incorrect Permission Assignment6 documents6 sources

Severity

2.1LOWNVD

EPSS

0.0%

top 87.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Debian Dovecot

Timeline

PublishedNov 1

Latest updateMay 13

Description

dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the ssl_key_password parameter value.

CVSS vector

AV:L/AC:L/C:P/I:N/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages2 packages

▶debiandebian/dovecot

▶NVDdovecot/dovecot1.0.7

🔴Vulnerability Details

GHSA

GHSA-7hp8-2g4v-fc2h: dovecot 1↗2022-05-13

▶

OSV

CVE-2008-4870: dovecot 1↗2008-11-01

▶

📋Vendor Advisories

Red Hat

dovecot: ssl_key_password disclosure due to an insecure dovecot.conf permissions↗2008-03-06

▶

Debian

CVE-2008-4870: dovecot - dovecot 1.0.7 in Red Hat Enterprise Linux (RHEL) 5, and possibly Fedora, uses wo...↗2008

▶

💬Community

Bugzilla

CVE-2008-4870 dovecot: ssl_key_password disclosure due to an insecure dovecot.conf permissions↗2008-11-03

▶