First published: Mon Dec 09 2013(Updated: )
checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Dovecot Dovecot | <=2.2.6 | |
Dovecot Dovecot | =2.0-beta1 | |
Dovecot Dovecot | =2.0.0 | |
Dovecot Dovecot | =2.0.1 | |
Dovecot Dovecot | =2.0.2 | |
Dovecot Dovecot | =2.0.3 | |
Dovecot Dovecot | =2.0.4 | |
Dovecot Dovecot | =2.0.5 | |
Dovecot Dovecot | =2.0.6 | |
Dovecot Dovecot | =2.0.7 | |
Dovecot Dovecot | =2.0.8 | |
Dovecot Dovecot | =2.0.9 | |
Dovecot Dovecot | =2.0.10 | |
Dovecot Dovecot | =2.0.11 | |
Dovecot Dovecot | =2.0.12 | |
Dovecot Dovecot | =2.0.13 | |
Dovecot Dovecot | =2.0.14 | |
Dovecot Dovecot | =2.0.15 | |
Dovecot Dovecot | =2.1-rc1 | |
Dovecot Dovecot | =2.1-rc2 | |
Dovecot Dovecot | =2.1-rc3 | |
Dovecot Dovecot | =2.1-rc5 | |
Dovecot Dovecot | =2.1-rc6 | |
Dovecot Dovecot | =2.1-rc7 | |
Dovecot Dovecot | =2.1.0 | |
Dovecot Dovecot | =2.1.1 | |
Dovecot Dovecot | =2.1.2 | |
Dovecot Dovecot | =2.1.3 | |
Dovecot Dovecot | =2.1.4 | |
Dovecot Dovecot | =2.1.5 | |
Dovecot Dovecot | =2.1.6 | |
Dovecot Dovecot | =2.1.7 | |
Dovecot Dovecot | =2.1.10 | |
Dovecot Dovecot | =2.1.11 | |
Dovecot Dovecot | =2.1.12 | |
Dovecot Dovecot | =2.1.13 | |
Dovecot Dovecot | =2.1.14 | |
Dovecot Dovecot | =2.1.15 | |
Dovecot Dovecot | =2.2-rc1 | |
Dovecot Dovecot | =2.2-rc2 | |
Dovecot Dovecot | =2.2-rc3 | |
Dovecot Dovecot | =2.2-rc4 | |
Dovecot Dovecot | =2.2-rc5 | |
Dovecot Dovecot | =2.2-rc6 | |
Dovecot Dovecot | =2.2-rc7 | |
Dovecot Dovecot | =2.2.0 | |
Dovecot Dovecot | =2.2.1 | |
Dovecot Dovecot | =2.2.2 | |
Dovecot Dovecot | =2.2.3 | |
Dovecot Dovecot | =2.2.4 | |
Dovecot Dovecot | =2.2.5 | |
debian/dovecot | 1:2.3.13+dfsg1-2+deb11u1 1:2.3.13+dfsg1-2+deb11u2 1:2.3.19.1+dfsg1-2.1+deb12u1 1:2.3.21.1+dfsg1-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2013-6171 is a vulnerability in Dovecot that allows local users to bypass authentication and access virtual email accounts.
The severity of CVE-2013-6171 is medium with a CVSS score of 5.8.
CVE-2013-6171 works by performing setuid operations to a user who is authenticating, allowing local users to modify account information and bypass authentication.
Dovecot versions up to and including 2.2.6 are affected by CVE-2013-6171.
To fix CVE-2013-6171, you should update Dovecot to version 2.2.7 or higher.