CVE-2010-3707 — Dovecot vulnerability

CWE-2648 documents8 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 67.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Debian Dovecot

Timeline

PublishedOct 6

Latest updateMay 17

Description

plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving more specific entries that occur after less specific entries, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 8.0 | Impact: 4.9

Affected Packages3 packages

▶debiandebian/dovecot< dovecot 1:1.2.15-1 (bookworm)

▶Debiandovecot/dovecot< 1:1.2.15-1+3

▶NVDdovecot/dovecot20 versions+19

🔴Vulnerability Details

GHSA

GHSA-px5f-9v9f-4cpw: plugins/acl/acl-backend-vfile↗2022-05-17

▶

OSV

CVE-2010-3707: plugins/acl/acl-backend-vfile↗2010-10-06

▶

💥Exploits & PoCs

Exploit-DB

VMware Player / VMware Workstation 6.5.3 - 'VMware-authd' Remote Denial of Service↗2009-10-07

▶

📋Vendor Advisories

Ubuntu

Dovecot vulnerabilities↗2011-02-07

▶

Red Hat

Dovecot: Failed to properly update ACL cache, when multiple rules defined rights for one subject↗2010-10-01

▶

Debian

CVE-2010-3707: dovecot - plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before ...↗2010

▶

💬Community

Bugzilla

CVE-2010-3707 Dovecot: Failed to properly update ACL cache, when multiple rules defined rights for one subject↗2010-10-05

▶