{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2010-07-24T00:00:00", "descriptions": [{"lang": "en", "value": "The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to newly created mailboxes in certain configurations, which might allow remote attackers to read mailboxes that have unintended weak ACLs."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2010-09-30T09:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "[dovecot-news] 20100724 v1.2.13 released", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.dovecot.org/list/dovecot-news/2010-July/000163.html"}, {"name": "[oss-security] 20100916 Re: CVE-identifier request for Dovecot ACL security bug", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2010/09/16/17"}, {"name": "USN-1059-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-1059-1"}, {"name": "41964", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/41964"}, {"name": "[oss-security] 20100916 CVE-identifier request for Dovecot ACL security bug", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2010/09/16/14"}, {"name": "MDVSA-2010:217", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"}, {"name": "43220", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/43220"}, {"name": "ADV-2011-0301", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2011/0301"}, {"name": "ADV-2010-2840", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2010/2840"}, {"name": "SUSE-SR:2010:017", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T03:03:18.915Z"}, "title": "CVE Program Container", "references": [{"name": "[dovecot-news] 20100724 v1.2.13 released", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.dovecot.org/list/dovecot-news/2010-July/000163.html"}, {"name": "[oss-security] 20100916 Re: CVE-identifier request for Dovecot ACL security bug", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2010/09/16/17"}, {"name": "USN-1059-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-1059-1"}, {"name": "41964", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/41964"}, {"name": "[oss-security] 20100916 CVE-identifier request for Dovecot ACL security bug", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2010/09/16/14"}, {"name": "MDVSA-2010:217", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"}, {"name": "43220", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/43220"}, {"name": "ADV-2011-0301", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2011/0301"}, {"name": "ADV-2010-2840", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2010/2840"}, {"name": "SUSE-SR:2010:017", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2010-3304", "datePublished": "2010-09-24T18:00:00", "dateReserved": "2010-09-13T00:00:00", "dateUpdated": "2024-08-07T03:03:18.915Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "CD2D1C99-0594-4378-AA6C-EC2E890E41FA", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "96F35305-79B4-49CD-A89F-A559CA9EEB33", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "EDC7E277-A5AE-4025-8412-E715D1C8C0F9", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "0DBE1D51-B9D5-4E59-81F6-C6937DA78637", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "30B37ACE-64EA-49E7-B836-C3F05CAE0392", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "1204F5C2-916D-4C27-A5C4-5B5E0AAA7322", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "A0C46C8A-EA49-4356-BA6B-8EC0F2E70B3B", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "96F54038-B17B-40C0-9C2E-20AF55E7602B", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.8:*:*:*:*:*:*:*", "matchCriteriaId": "BBB0B72A-1C7D-4F89-BE89-CD82F667CB76", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.9:*:*:*:*:*:*:*", "matchCriteriaId": "FEF89EB6-CBF5-48DF-8FDD-2C0AE0266B3D", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.10:*:*:*:*:*:*:*", "matchCriteriaId": "41B2B3D8-EB69-4BD8-ACD5-CB6BFDE6B2FB", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.11:*:*:*:*:*:*:*", "matchCriteriaId": "E1A909DC-0D77-4690-87D2-51A7564B63B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.2.12:*:*:*:*:*:*:*", "matchCriteriaId": "BB2F767F-5D7F-40AC-BA57-4E819F486301", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to newly created mailboxes in certain configurations, which might allow remote attackers to read mailboxes that have unintended weak ACLs."}, {"lang": "es", "value": "El complemento ACL de Dovecot v1.2.x anteriores a v1.2.13 propaga las ACLs INBOX a nuevos buzones de correo en determinadas configuraciones, lo que puede permitir a atacantes remotos leer buzones de correo que tienen ACLs d\u00e9biles imprevistos."}], "id": "CVE-2010-3304", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2010-09-24T19:00:04.980", "references": [{"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/43220"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.dovecot.org/list/dovecot-news/2010-July/000163.html"}, {"source": "secalert@redhat.com", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2010/09/16/14"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2010/09/16/17"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/41964"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-1059-1"}, {"source": "secalert@redhat.com", "url": "http://www.vupen.com/english/advisories/2010/2840"}, {"source": "secalert@redhat.com", "url": "http://www.vupen.com/english/advisories/2011/0301"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/43220"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.dovecot.org/list/dovecot-news/2010-July/000163.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:217"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2010/09/16/14"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2010/09/16/17"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/41964"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-1059-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2010/2840"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2011/0301"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "dovecot: INBOX ACLs to newly created mailboxes propagation, possibly leading to weak ACLs", "id": "746270", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=746270"}, "csaw": false, "cvss": {"cvss_base_score": "2.6", "cvss_scoring_vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "draft"}, "details": ["The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to newly created mailboxes in certain configurations, which might allow remote attackers to read mailboxes that have unintended weak ACLs."], "name": "CVE-2010-3304", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:4", "fix_state": "Not affected", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "dovecot", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2010-07-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2010-3304\nhttps://nvd.nist.gov/vuln/detail/CVE-2010-3304"], "statement": "This issue does not affect the version of dovecot package, as shipped with Red Hat Enterprise Linux 4, 5 and 6.", "threat_severity": "Low"}