{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2010-10-02T00:00:00", "descriptions": [{"lang": "en", "value": "plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving the private namespace of a user, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2010-11-19T10:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "[oss-security] 20101004 Re: CVE Request: more dovecot ACL issues", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://marc.info/?l=oss-security&m=128622064325688&w=2"}, {"name": "USN-1059-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-1059-1"}, {"name": "SUSE-SR:2010:020", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"}, {"name": "ADV-2010-2572", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2010/2572"}, {"name": "[oss-security] 20101004 CVE Request: more dovecot ACL issues", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://marc.info/?l=oss-security&m=128620520732377&w=2"}, {"name": "MDVSA-2010:217", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"}, {"name": "43220", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/43220"}, {"name": "ADV-2011-0301", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2011/0301"}, {"name": "[dovecot] 20101002 v1.2.15 released", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"}, {"name": "[dovecot] 20101002 ACL handling bugs in v1.2.8+ and v2.0", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.dovecot.org/list/dovecot/2010-October/053452.html"}, {"name": "ADV-2010-2840", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2010/2840"}, {"name": "[dovecot] 20101002 v2.0.5 released", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.dovecot.org/list/dovecot/2010-October/053451.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T03:18:52.956Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20101004 Re: CVE Request: more dovecot ACL issues", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://marc.info/?l=oss-security&m=128622064325688&w=2"}, {"name": "USN-1059-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-1059-1"}, {"name": "SUSE-SR:2010:020", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"}, {"name": "ADV-2010-2572", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2010/2572"}, {"name": "[oss-security] 20101004 CVE Request: more dovecot ACL issues", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://marc.info/?l=oss-security&m=128620520732377&w=2"}, {"name": "MDVSA-2010:217", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"}, {"name": "43220", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/43220"}, {"name": "ADV-2011-0301", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2011/0301"}, {"name": "[dovecot] 20101002 v1.2.15 released", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"}, {"name": "[dovecot] 20101002 ACL handling bugs in v1.2.8+ and v2.0", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.dovecot.org/list/dovecot/2010-October/053452.html"}, {"name": "ADV-2010-2840", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2010/2840"}, {"name": "[dovecot] 20101002 v2.0.5 released", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.dovecot.org/list/dovecot/2010-October/053451.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2010-3706", "datePublished": "2010-10-06T16:00:00", "dateReserved": "2010-10-01T00:00:00", "dateUpdated": "2024-08-07T03:18:52.956Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "CD2D1C99-0594-4378-AA6C-EC2E890E41FA", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "96F35305-79B4-49CD-A89F-A559CA9EEB33", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "EDC7E277-A5AE-4025-8412-E715D1C8C0F9", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "0DBE1D51-B9D5-4E59-81F6-C6937DA78637", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "30B37ACE-64EA-49E7-B836-C3F05CAE0392", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "1204F5C2-916D-4C27-A5C4-5B5E0AAA7322", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "A0C46C8A-EA49-4356-BA6B-8EC0F2E70B3B", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "96F54038-B17B-40C0-9C2E-20AF55E7602B", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.8:*:*:*:*:*:*:*", "matchCriteriaId": "BBB0B72A-1C7D-4F89-BE89-CD82F667CB76", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.9:*:*:*:*:*:*:*", "matchCriteriaId": "FEF89EB6-CBF5-48DF-8FDD-2C0AE0266B3D", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.10:*:*:*:*:*:*:*", "matchCriteriaId": "41B2B3D8-EB69-4BD8-ACD5-CB6BFDE6B2FB", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.11:*:*:*:*:*:*:*", "matchCriteriaId": "E1A909DC-0D77-4690-87D2-51A7564B63B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.12:*:*:*:*:*:*:*", "matchCriteriaId": "BB2F767F-5D7F-40AC-BA57-4E819F486301", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.13:*:*:*:*:*:*:*", "matchCriteriaId": "68296C7C-B72C-46E7-A280-5E86E1470FDC", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.14:*:*:*:*:*:*:*", "matchCriteriaId": "72E1AF54-0446-49FB-A6B8-AF14833A3D0C", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "AEE31582-7AE3-4131-BDE9-5654DE58FAF3", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "65102391-C9AF-4CA3-AC43-0C52A7A37363", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "593DF083-5960-4BD5-AFC4-668B30E32E59", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "4DCC5E56-D31E-45F0-B18B-D98C219DEBAA", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:2.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "D969ED92-F429-4F67-8366-31A73CEE6A47", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving the private namespace of a user, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox."}, {"lang": "es", "value": "plugins/acl/acl-backend-vfile.c en Dovecot v1.2.x anterior a v1.2.15 y v2.0.x anterior a v2.0.5 interpreta una entrada ACL como una directiva a a\u00f1adir a los permisos asignados por otra entrada ACL, en lugar de una directiva para reemplazar los permisos asignados por otra entrada ACL. En ciertas circunstancias involucrando espacios de nombres privados de un usuario, lo que permite a usuarios autenticados remotamente evitar restricciones de acceso intencionadas a trav\u00e9s de peticiones para leer o modificar un buz\u00f3n de correo"}], "id": "CVE-2010-3706", "lastModified": "2011-02-12T06:44:08.323", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2010-10-06T17:00:17.360", "references": [{"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"}, {"source": "secalert@redhat.com", "url": "http://marc.info/?l=oss-security&m=128620520732377&w=2"}, {"source": "secalert@redhat.com", "url": "http://marc.info/?l=oss-security&m=128622064325688&w=2"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/43220"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://www.dovecot.org/list/dovecot/2010-October/053450.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://www.dovecot.org/list/dovecot/2010-October/053451.html"}, {"source": "secalert@redhat.com", "url": "http://www.dovecot.org/list/dovecot/2010-October/053452.html"}, {"source": "secalert@redhat.com", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-1059-1"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2010/2572"}, {"source": "secalert@redhat.com", "url": "http://www.vupen.com/english/advisories/2010/2840"}, {"source": "secalert@redhat.com", "url": "http://www.vupen.com/english/advisories/2011/0301"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "Dovecot: Failed to update ACL cache for mailboxes stored in private namespace", "id": "640401", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=640401"}, "csaw": false, "cvss": {"cvss_base_score": "3.2", "cvss_scoring_vector": "AV:L/AC:L/Au:S/C:P/I:P/A:N", "status": "draft"}, "details": ["plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving the private namespace of a user, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox."], "name": "CVE-2010-3706", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:4", "fix_state": "Not affected", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2010-10-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2010-3706\nhttps://nvd.nist.gov/vuln/detail/CVE-2010-3706"], "statement": "Not vulnerable. This issue did not affect the versions of dovecot as\nshipped with Red Hat Enterprise Linux 4, 5 or 6.", "threat_severity": "Low"}