Privilege escalation : Dovecot ACL Plugin Security Bypass Vulnerabilities

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.800030

Categoría: Privilege escalation

Título: Dovecot ACL Plugin Security Bypass Vulnerabilities

Resumen: Dovecot ACL Plugin is prone to multiple security bypass vulnerabilities.

Descripción: Summary:
Dovecot ACL Plugin is prone to multiple security bypass vulnerabilities.

Vulnerability Insight:
The flaws are due to:

- the ACL plugin interprets negative access rights as positive access rights,
potentially giving an unprivileged user access to restricted resources.

- an error in the ACL plugin when imposing mailbox creation restrictions to create
parent/child/child mailboxes.

Vulnerability Impact:
Successful attack could allow malicious people to bypass certain
security restrictions or manipulate certain data.

Affected Software/OS:
Dovecot versions prior to 1.1.4.

Solution:
Upgrade to Dovecot version 1.1.4 or later.

CVSS Score:
6.4

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2008-4577
31587
http://www.securityfocus.com/bid/31587
32164
http://secunia.com/advisories/32164
32471
http://secunia.com/advisories/32471
33149
http://secunia.com/advisories/33149
33624
http://secunia.com/advisories/33624
36904
http://secunia.com/advisories/36904
ADV-2008-2745
http://www.vupen.com/english/advisories/2008/2745
FEDORA-2008-9202
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html
FEDORA-2008-9232
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html
GLSA-200812-16
http://security.gentoo.org/glsa/glsa-200812-16.xml
MDVSA-2008:232
http://www.mandriva.com/security/advisories?name=MDVSA-2008:232
RHSA-2009:0205
http://www.redhat.com/support/errata/RHSA-2009-0205.html
SUSE-SR:2009:004
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
USN-838-1
http://www.ubuntu.com/usn/USN-838-1
[Dovecot-news] 20081005 v1.1.4 released
http://www.dovecot.org/list/dovecot-news/2008-October/000085.html
http://bugs.gentoo.org/show_bug.cgi?id=240409
oval:org.mitre.oval:def:10376
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376
Common Vulnerability Exposure (CVE) ID: CVE-2008-4578
20081119 Re: [ MDVSA-2008:232 ] dovecot
http://www.securityfocus.com/archive/1/498498/100/0/threaded
dovecot-acl-mailbox-security-bypass(45669)
https://exchange.xforce.ibmcloud.com/vulnerabilities/45669

Copyright Copyright (C) 2008 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.800030
Categoría:	Privilege escalation
Título:	Dovecot ACL Plugin Security Bypass Vulnerabilities
Resumen:	Dovecot ACL Plugin is prone to multiple security bypass vulnerabilities.
Descripción:	Summary: Dovecot ACL Plugin is prone to multiple security bypass vulnerabilities. Vulnerability Insight: The flaws are due to: - the ACL plugin interprets negative access rights as positive access rights, potentially giving an unprivileged user access to restricted resources. - an error in the ACL plugin when imposing mailbox creation restrictions to create parent/child/child mailboxes. Vulnerability Impact: Successful attack could allow malicious people to bypass certain security restrictions or manipulate certain data. Affected Software/OS: Dovecot versions prior to 1.1.4. Solution: Upgrade to Dovecot version 1.1.4 or later. CVSS Score: 6.4 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2008-4577 31587 http://www.securityfocus.com/bid/31587 32164 http://secunia.com/advisories/32164 32471 http://secunia.com/advisories/32471 33149 http://secunia.com/advisories/33149 33624 http://secunia.com/advisories/33624 36904 http://secunia.com/advisories/36904 ADV-2008-2745 http://www.vupen.com/english/advisories/2008/2745 FEDORA-2008-9202 https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.html FEDORA-2008-9232 https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.html GLSA-200812-16 http://security.gentoo.org/glsa/glsa-200812-16.xml MDVSA-2008:232 http://www.mandriva.com/security/advisories?name=MDVSA-2008:232 RHSA-2009:0205 http://www.redhat.com/support/errata/RHSA-2009-0205.html SUSE-SR:2009:004 http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html USN-838-1 http://www.ubuntu.com/usn/USN-838-1 [Dovecot-news] 20081005 v1.1.4 released http://www.dovecot.org/list/dovecot-news/2008-October/000085.html http://bugs.gentoo.org/show_bug.cgi?id=240409 oval:org.mitre.oval:def:10376 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376 Common Vulnerability Exposure (CVE) ID: CVE-2008-4578 20081119 Re: [ MDVSA-2008:232 ] dovecot http://www.securityfocus.com/archive/1/498498/100/0/threaded dovecot-acl-mailbox-security-bypass(45669) https://exchange.xforce.ibmcloud.com/vulnerabilities/45669
Copyright	Copyright (C) 2008 Greenbone AG