CVE-2010-3706 — Dovecot vulnerability

CWE-2647 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.4%

top 39.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Debian Dovecot

Timeline

PublishedOct 6

Latest updateMay 17

Description

plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving the private namespace of a user, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 8.0 | Impact: 4.9

Affected Packages3 packages

▶debiandebian/dovecot< dovecot 1:1.2.15-1 (bookworm)

▶Debiandovecot/dovecot< 1:1.2.15-1+3

▶NVDdovecot/dovecot20 versions+19

🔴Vulnerability Details

GHSA

GHSA-6g2j-hjvm-jvwm: plugins/acl/acl-backend-vfile↗2022-05-17

▶

OSV

CVE-2010-3706: plugins/acl/acl-backend-vfile↗2010-10-06

▶

📋Vendor Advisories

Ubuntu

Dovecot vulnerabilities↗2011-02-07

▶

Red Hat

Dovecot: Failed to update ACL cache for mailboxes stored in private namespace↗2010-10-01

▶

Debian

CVE-2010-3706: dovecot - plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before ...↗2010

▶

💬Community

Bugzilla

CVE-2010-3706 Dovecot: Failed to update ACL cache for mailboxes stored in private namespace↗2010-10-05

▶