Executive Summary
| Informations | |||
|---|---|---|---|
| Name | CVE-2007-6598 | First vendor Publication | 2008-01-03 |
| Vendor | Cve | Last vendor Modification | 2024-11-21 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 6.8 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password. |
Original Source
| Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6598 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:10458 | |||
| Oval ID: | oval:org.mitre.oval:def:10458 | ||
| Title: | Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password. | ||
| Description: | Dovecot before 1.0.10, with certain configuration options including use of %variables, does not properly maintain the LDAP+auth cache, which might allow remote authenticated users to login as a different user who has the same password. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2007-6598 | Version: | 5 |
| Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:17080 | |||
| Oval ID: | oval:org.mitre.oval:def:17080 | ||
| Title: | USN-567-1 -- dovecot vulnerability | ||
| Description: | It was discovered that in very rare configurations using LDAP, Dovecot may reuse cached connections for users with the same password. | ||
| Family: | unix | Class: | patch |
| Reference(s): | USN-567-1 CVE-2007-6598 | Version: | 7 |
| Platform(s): | Ubuntu 7.04 Ubuntu 7.10 | Product(s): | dovecot |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:18653 | |||
| Oval ID: | oval:org.mitre.oval:def:18653 | ||
| Title: | DSA-1457-1 dovecot | ||
| Description: | It was discovered that Dovecot, a POP3 and IMAP server, only when used with LDAP authentication and <q>base</q> contains variables, could allow a user to log in to the account of another user with the same password. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1457-1 CVE-2007-6598 | Version: | 7 |
| Platform(s): | Debian GNU/Linux 4.0 | Product(s): | dovecot |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:8032 | |||
| Oval ID: | oval:org.mitre.oval:def:8032 | ||
| Title: | DSA-1457 dovecot -- programming error | ||
| Description: | It was discovered that Dovecot, a POP3 and IMAP server, only when used # Remark: "base" refers to a variable(?!) and should not contain something as # base = %r! with LDAP authentication and base contains variables, could allow a user to log in to the account of another user with the same password. The old stable distribution (sarge) is not affected. For the stable distribution (etch), this problem has been fixed in version 1.0.rc15-2etch3. For the unstable distribution (sid), this problem has been fixed in version 1.0.10-1. We recommend that you upgrade your dovecot packages. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1457 CVE-2007-6598 | Version: | 3 |
| Platform(s): | Debian GNU/Linux 4.0 | Product(s): | dovecot |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-03-23 | Name : Ubuntu Update for dovecot vulnerability USN-567-1 File : nvt/gb_ubuntu_USN_567_1.nasl |
| 2009-03-06 | Name : RedHat Update for dovecot RHSA-2008:0297-02 File : nvt/gb_RHSA-2008_0297-02_dovecot.nasl |
| 2008-01-31 | Name : Debian Security Advisory DSA 1457-1 (dovecot) File : nvt/deb_1457_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 39876 | Dovecot LDAP Auth Cache Security Bypass |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20080521_dovecot_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
| 2008-10-01 | Name : The remote openSUSE host is missing a security update. File : suse_dovecot-5647.nasl - Type : ACT_GATHER_INFO |
| 2008-05-22 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2008-0297.nasl - Type : ACT_GATHER_INFO |
| 2008-01-14 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-567-1.nasl - Type : ACT_GATHER_INFO |
| 2008-01-10 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1457.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
| Date | Informations |
|---|---|
| 2024-11-28 23:15:28 |
|
| 2024-11-28 12:14:19 |
|
| 2021-05-05 01:04:17 |
|
| 2021-05-04 12:06:50 |
|
| 2021-04-22 01:07:19 |
|
| 2020-05-24 01:04:10 |
|
| 2020-05-23 00:20:56 |
|
| 2018-10-16 00:19:23 |
|
| 2017-09-29 09:23:20 |
|
| 2016-06-28 17:08:11 |
|
| 2016-04-26 16:56:19 |
|
| 2014-02-17 10:43:01 |
|
| 2013-05-11 10:44:57 |
|
