CVE-2010-3707
First published: Wed Oct 06 2010(Updated: )
plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving more specific entries that occur after less specific entries, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Dovecot | =1.2.0 | |
| Dovecot | =1.2.1 | |
| Dovecot | =1.2.2 | |
| Dovecot | =1.2.3 | |
| Dovecot | =1.2.4 | |
| Dovecot | =1.2.5 | |
| Dovecot | =1.2.6 | |
| Dovecot | =1.2.7 | |
| Dovecot | =1.2.8 | |
| Dovecot | =1.2.9 | |
| Dovecot | =1.2.10 | |
| Dovecot | =1.2.11 | |
| Dovecot | =1.2.12 | |
| Dovecot | =1.2.13 | |
| Dovecot | =1.2.14 | |
| Dovecot | =2.0.0 | |
| Dovecot | =2.0.1 | |
| Dovecot | =2.0.2 | |
| Dovecot | =2.0.3 | |
| Dovecot | =2.0.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.dovecot.org/list/dovecot/2010-October/053450.html
- http://marc.info/?l=oss-security&m=128620520732377&w=2
- http://www.dovecot.org/list/dovecot/2010-October/053452.html
- http://www.vupen.com/english/advisories/2010/2572
- http://www.dovecot.org/list/dovecot/2010-October/053451.html
- http://marc.info/?l=oss-security&m=128622064325688&w=2
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:217
- http://www.vupen.com/english/advisories/2010/2840
- http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html
- http://secunia.com/advisories/43220
- http://www.vupen.com/english/advisories/2011/0301
- http://www.ubuntu.com/usn/USN-1059-1
- http://www.redhat.com/support/errata/RHSA-2011-0600.html
Frequently Asked Questions
What is the severity of CVE-2010-3707?
CVE-2010-3707 has been classified with a medium severity rating.
How do I fix CVE-2010-3707?
To mitigate CVE-2010-3707, upgrade Dovecot to version 1.2.15 or 2.0.5 or later.
What versions of Dovecot are affected by CVE-2010-3707?
CVE-2010-3707 affects Dovecot versions 1.2.0 through 1.2.14 and 2.0.0 through 2.0.4.
What type of vulnerability is CVE-2010-3707?
CVE-2010-3707 is an access control vulnerability that can lead to improperly granted permissions.
Is there any workaround for CVE-2010-3707?
There are no known workarounds for CVE-2010-3707, so upgrading is the recommended course of action.
- agent/first-publish-date
- agent/last-modified-date
- agent/type
- agent/references
- agent/softwarecombine
- agent/tags
- agent/description
- agent/severity
- agent/weakness
- agent/author
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/dovecot
- canonical/dovecot
- version/dovecot/1.2.0
- version/dovecot/1.2.1
- version/dovecot/1.2.2
- version/dovecot/1.2.3
- version/dovecot/1.2.4
- version/dovecot/1.2.5
- version/dovecot/1.2.6
- version/dovecot/1.2.7
- version/dovecot/1.2.8
- version/dovecot/1.2.9
- version/dovecot/1.2.10
- version/dovecot/1.2.11
- version/dovecot/1.2.12
- version/dovecot/1.2.13
- version/dovecot/1.2.14
- version/dovecot/2.0.0
- version/dovecot/2.0.1
- version/dovecot/2.0.2
- version/dovecot/2.0.3
- version/dovecot/2.0.4