CVE-2008-5301 - Vulnerability Details - OpenCVE

Directory traversal vulnerability in the ManageSieve implementation in Dovecot 1.0.15, 1.1, and 1.2 allows remote attackers to read and modify arbitrary .sieve files via a ".." (dot dot) in a script name.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dovecot	Dovecot

Configuration 1 [-]

OR	cpe:2.3:a:dovecot:dovecot:0.99.13:::::::*
	cpe:2.3:a:dovecot:dovecot:0.99.14:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.2:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.3:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.4:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.5:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.6:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.7:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.8:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.9:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.10:::::::*
	cpe:2.3:a:dovecot:dovecot:1.0.12:::::::*
	cpe:2.3:a:dovecot:dovecot:1.1:::::::*
	cpe:2.3:a:dovecot:dovecot:1.1:rc2::::::
	cpe:2.3:a:dovecot:dovecot:1.1.0:::::::*
	cpe:2.3:a:dovecot:dovecot:1.1.1:::::::*
	cpe:2.3:a:dovecot:dovecot:1.1.2:::::::*
	cpe:2.3:a:dovecot:dovecot:1.1.3:::::::*
	cpe:2.3:a:dovecot:dovecot:1.1.4:::::::*
	cpe:2.3:a:dovecot:dovecot:1.1.5:::::::*

No data.

References

Link	Providers
http://secunia.com/advisories/32768
http://secunia.com/advisories/36904
http://www.dovecot.org/list/dovecot/2008-November/035259.html
http://www.securityfocus.com/bid/32582
http://www.ubuntu.com/usn/USN-838-1
http://www.vupen.com/english/advisories/2008/3190
https://exchange.xforce.ibmcloud.com/vulnerabilities/46672

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2008-12-01T17:00:00

Updated: 2024-08-07T10:49:12.314Z

Reserved: 2008-12-01T00:00:00

Link: CVE-2008-5301

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2008-12-01T17:30:01.437

Modified: 2025-04-09T00:30:58.490

Link: CVE-2008-5301

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-11-17T00:00:00", "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in the ManageSieve implementation in Dovecot 1.0.15, 1.1, and 1.2 allows remote attackers to read and modify arbitrary .sieve files via a \"..\" (dot dot) in a script name."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-07T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "managesieve-sieve-directory-traversal(46672)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46672"}, {"name": "ADV-2008-3190", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/3190"}, {"name": "USN-838-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-838-1"}, {"name": "[Dovecot] 20081117 ManageSieve SECURITY hole: virtual users can edit scripts of other virtual users (all versions)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.dovecot.org/list/dovecot/2008-November/035259.html"}, {"name": "32768", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/32768"}, {"name": "36904", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/36904"}, {"name": "32582", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/32582"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-5301", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Directory traversal vulnerability in the ManageSieve implementation in Dovecot 1.0.15, 1.1, and 1.2 allows remote attackers to read and modify arbitrary .sieve files via a \"..\" (dot dot) in a script name."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "managesieve-sieve-directory-traversal(46672)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46672"}, {"name": "ADV-2008-3190", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/3190"}, {"name": "USN-838-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-838-1"}, {"name": "[Dovecot] 20081117 ManageSieve SECURITY hole: virtual users can edit scripts of other virtual users (all versions)", "refsource": "MLIST", "url": "http://www.dovecot.org/list/dovecot/2008-November/035259.html"}, {"name": "32768", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/32768"}, {"name": "36904", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36904"}, {"name": "32582", "refsource": "BID", "url": "http://www.securityfocus.com/bid/32582"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T10:49:12.314Z"}, "title": "CVE Program Container", "references": [{"name": "managesieve-sieve-directory-traversal(46672)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46672"}, {"name": "ADV-2008-3190", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/3190"}, {"name": "USN-838-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-838-1"}, {"name": "[Dovecot] 20081117 ManageSieve SECURITY hole: virtual users can edit scripts of other virtual users (all versions)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.dovecot.org/list/dovecot/2008-November/035259.html"}, {"name": "32768", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/32768"}, {"name": "36904", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/36904"}, {"name": "32582", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/32582"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-5301", "datePublished": "2008-12-01T17:00:00", "dateReserved": "2008-12-01T00:00:00", "dateUpdated": "2024-08-07T10:49:12.314Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dovecot:dovecot:0.99.13:*:*:*:*:*:*:*", "matchCriteriaId": "D0616CCF-D278-4B6D-A58B-393BCA128CF1", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:0.99.14:*:*:*:*:*:*:*", "matchCriteriaId": "D3C7BE64-7C1E-4043-A1C5-D0A7377C01A7", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "4240BD98-3C31-42CE-AF8F-045DD4BFC084", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "1C05ACA0-ED87-4DDF-94B6-8D25BE1790F1", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "8A8C0C4A-F9DB-4BB7-BFC5-BEC22C3FE40B", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "B7E00B56-A1E5-4261-8349-37654AA9FB64", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "E66427AA-A9D4-413F-8354-EA61407307C1", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "D74BE6C7-114D-4885-8472-FFE71C817B8A", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "4A349510-4D00-4978-93D9-3F9F5E0CD8DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "B65B9EFD-1531-463C-992E-F0F16AABF9C3", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "34BA7146-5793-44F4-9569-9D868FE6E325", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.10:*:*:*:*:*:*:*", "matchCriteriaId": "B5078363-6B42-491B-A219-F8D8A86132BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.0.12:*:*:*:*:*:*:*", "matchCriteriaId": "B1DDF093-B5C7-4AE5-B3D6-466C543AB2BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.1:*:*:*:*:*:*:*", "matchCriteriaId": "F8BE860F-A3C2-43E0-BC75-503C437DAADD", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "9E6F249C-2793-46B5-A9E2-5EB3A62FF8E4", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "E4E57B06-8650-4374-B643-6FCBE3ABDAF5", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "B0384E42-1506-4C08-AA5A-18B2A711C7F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "F5DC1CE5-50B9-426E-B98A-224DC499AB15", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "350A26D6-A8BA-4125-A640-264E08D28CB0", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "71057F4B-3040-4771-B989-9F3453934AAA", "vulnerable": true}, {"criteria": "cpe:2.3:a:dovecot:dovecot:1.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "1730EBB1-4071-4A23-B770-D564AF422273", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in the ManageSieve implementation in Dovecot 1.0.15, 1.1, and 1.2 allows remote attackers to read and modify arbitrary .sieve files via a \"..\" (dot dot) in a script name."}, {"lang": "es", "value": "Vulnerabilidad de salto de directorio en la implementaci\u00f3n de ManageSieve en Dovecot 1.0.15, 1.1, y 1.2 permite a atacantes remotos leer y modificar arbitrariamente ficheros .sieve a trav\u00e9s de un \"..\" (punto punto) en el nombre de un script."}], "id": "CVE-2008-5301", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2008-12-01T17:30:01.437", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/32768"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/36904"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.dovecot.org/list/dovecot/2008-November/035259.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/32582"}, {"source": "cve@mitre.org", "url": "http://www.ubuntu.com/usn/USN-838-1"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2008/3190"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46672"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/32768"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/36904"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.dovecot.org/list/dovecot/2008-November/035259.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/32582"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-838-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2008/3190"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46672"}], "sourceIdentifier": "cve@mitre.org", "vendorComments": [{"comment": "Not vulnerable. This issue did not affect the versions of dovecot as shipped with Red Hat Enterprise Linux 4, or 5. Those packages do not include ManageSieve server.", "lastModified": "2008-12-02T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}