CVE-2013-6171
Severity CVSS v4.0:
Pending analysis
Type:
CWE-287
Authentication Issues
Publication date:
09/12/2013
Last modified:
11/04/2025
Description
checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server.
Impact
Base Score 2.0
5.80
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:* | 2.2.6 (including) | |
| cpe:2.3:a:dovecot:dovecot:2.0:beta1:*:*:*:*:*:* | ||
| cpe:2.3:a:dovecot:dovecot:2.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:dovecot:dovecot:2.0.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:dovecot:dovecot:2.0.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:dovecot:dovecot:2.0.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:dovecot:dovecot:2.0.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:dovecot:dovecot:2.0.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:dovecot:dovecot:2.0.6:*:*:*:*:*:*:* | ||
| cpe:2.3:a:dovecot:dovecot:2.0.7:*:*:*:*:*:*:* | ||
| cpe:2.3:a:dovecot:dovecot:2.0.8:*:*:*:*:*:*:* | ||
| cpe:2.3:a:dovecot:dovecot:2.0.9:*:*:*:*:*:*:* | ||
| cpe:2.3:a:dovecot:dovecot:2.0.10:*:*:*:*:*:*:* | ||
| cpe:2.3:a:dovecot:dovecot:2.0.11:*:*:*:*:*:*:* | ||
| cpe:2.3:a:dovecot:dovecot:2.0.12:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://cpanel.net/tsr-2013-0010-full-disclosure/
- http://secunia.com/advisories/54808
- http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security
- http://www.dovecot.org/list/dovecot-news/2013-November/000264.html
- https://usn.ubuntu.com/3556-2/
- http://cpanel.net/tsr-2013-0010-full-disclosure/
- http://secunia.com/advisories/54808
- http://wiki2.dovecot.org/AuthDatabase/CheckPassword#Security
- http://www.dovecot.org/list/dovecot-news/2013-November/000264.html
- https://usn.ubuntu.com/3556-2/