CVE-2020-3812 — Improper Privilege Management in Netqmail

CWE-269 — Improper Privilege Management CWE-200 — Sensitive Information Exposure CWE-250 — Execution with Unnecessary Privileges8 documents6 sources

Severity

5.5MEDIUMNVD

OSV9.8

EPSS

0.0%

top 86.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netqmail Debian Netqmail Canonical Ubuntu Linux +1 more

Timeline

PublishedMay 26

Latest updateMay 24

Description

qmail-verify as used in netqmail 1.06 is prone to an information disclosure vulnerability. A local attacker can test for the existence of files and directories anywhere in the filesystem because qmail-verify runs as root and tests for the existence of files in the attacker's home directory, without dropping its privileges first.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶Ubuntunetqmail/netqmail< 1.06-6.2~deb10u1build0.16.04.1+3

▶CVEListV5debian/netqmail1.06

▶NVDnetqmail/netqmail1.06

Also affects: Debian Linux 10.0, 8.0, 9.0, Ubuntu Linux 20.04

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-w98m-2722-xcvc: qmail-verify as used in netqmail 1↗2022-05-24

▶

OSV

netqmail vulnerabilities↗2020-09-29

▶

CVEList

CVE-2020-3812: qmail-verify as used in netqmail 1↗2020-05-26

▶

OSV

CVE-2020-3812: qmail-verify as used in netqmail 1↗2020-05-26

▶

📋Vendor Advisories

Ubuntu

netqmail vulnerabilities↗2020-11-05

▶

Ubuntu

netqmail vulnerabilities↗2020-09-29

▶

📐Framework References

CWE

Execution with Unnecessary Privileges↗

▶