CVE-2009-3897

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://secunia.com/advisories/37443", "name": "37443", "tags": ["Broken Link", "Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://marc.info/?l=oss-security&m=125900271508796&w=2", "name": "[oss-security] 20091123 Re: CVE Request - Dovecot - 1.2.8", "tags": ["Mailing List"], "refsource": "MLIST"}, {"url": "http://www.dovecot.org/list/dovecot-news/2009-November/000143.html", "name": "[dovecot-news] 20091120 v1.2.8 released", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "http://www.vupen.com/english/advisories/2009/3306", "name": "ADV-2009-3306", "tags": ["Patch", "Permissions Required", "Vendor Advisory"], "refsource": "VUPEN"}, {"url": "http://marc.info/?l=oss-security&m=125900267208712&w=2", "name": "[oss-security] 20091123 Re: CVE request: v1.2.8 released to fix the 0777 base_dir creation issue", "tags": ["Mailing List", "Patch"], "refsource": "MLIST"}, {"url": "http://www.securityfocus.com/bid/37084", "name": "37084", "tags": ["Broken Link", "Patch", "Third Party Advisory", "VDB Entry"], "refsource": "BID"}, {"url": "http://marc.info/?l=oss-security&m=125881481222441&w=2", "name": "[oss-security] 20091121 CVE Request - Dovecot - 1.2.8", "tags": ["Mailing List"], "refsource": "MLIST"}, {"url": "http://marc.info/?l=oss-security&m=125871729029145&w=2", "name": "[oss-security] 20091120 CVE request: v1.2.8 released to fix the 0777 base_dir creation issue", "tags": ["Mailing List", "Patch"], "refsource": "MLIST"}, {"url": "http://www.osvdb.org/60316", "name": "60316", "tags": ["Broken Link"], "refsource": "OSVDB"}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:306", "name": "MDVSA-2009:306", "tags": ["Not Applicable"], "refsource": "MANDRIVA"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html", "name": "SUSE-SR:2010:001", "tags": ["Mailing List"], "refsource": "SUSE"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54363", "name": "dovecot-basedir-privilege-escalation(54363)", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-732"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2009-3897", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.6, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}}, "publishedDate": "2009-11-24T17:30Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.2.8", "versionStartIncluding": "1.2.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2024-02-08T15:21Z"}