CVE-2008-2937

Summary

CVE	CVE-2008-2937
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2008-08-18 19:41:00 UTC
Updated	2018-10-11 20:45:00 UTC
Description	Postfix 2.5 before 2.5.4 and 2.6 before 2.6-20080814 delivers to a mailbox file even when this file is not owned by the recipient, which allows local users to read e-mail messages by creating a mailbox file corresponding to another user's account name.

Risk And Classification

Problem Types: CWE-200

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Postfix	Postfix	2.5.0	All	All	All
Application	Postfix	Postfix	2.5.1	All	All	All
Application	Postfix	Postfix	2.5.2	All	All	All
Application	Postfix	Postfix	2.5.3	All	All	All
Application	Postfix	Postfix	2.6.0	All	All	All
Application	Postfix	Postfix	2.5.0	All	All	All
Application	Postfix	Postfix	2.5.1	All	All	All
Application	Postfix	Postfix	2.5.2	All	All	All
Application	Postfix	Postfix	2.5.3	All	All	All
Application	Postfix	Postfix	2.6.0	All	All	All

References

Reference	Source	Link	Tags
ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.5.4.HISTORY	CONFIRM	ftp.porcupine.org
[SECURITY] Fedora 9 Update: postfix-2.5.5-1.fc9	FEDORA	www.redhat.com
[#RPL-2689] postfix privilege escalation CVE-2008-2936 CVE-2008-2937 - rPath Issue Tracking System	CONFIRM	issues.rpath.com
Support	REDHAT	www.redhat.com
Support / Security / Advisories / / MDVSA-2009:224 \| Mandriva	MANDRIVA	www.mandriva.com
Fedora update for postfix - Secunia.com	SECUNIA	secunia.com
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com
Gentoo update for postfix - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com
SUSE update for postfix - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com	Patch, Vendor Advisory
[SECURITY] Fedora 8 Update: postfix-2.5.5-1.fc8	FEDORA	www.redhat.com
Advisories:rPSA-2008-0259 - rPath Wiki	CONFIRM	wiki.rpath.com
[security-announce] SUSE Security Announcement: postfix (SUSE-SA:2008:04	SUSE	lists.opensuse.org
Postfix Symlink Handling and Destination Ownership Security Issues - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com	Vendor Advisory
Postfix: Local privilege escalation vulnerability — Gentoo Linux Documentation	GENTOO	security.gentoo.org
IBM X-Force Exchange	XF	exchange.xforce.ibmcloud.com
Postfix Local Information Disclosure and Local Privilege Escalation Vulnerabilities	BID	www.securityfocus.com	Patch
SecurityFocus	BUGTRAQ	www.securityfocus.com
Juniper Networks - 2015-10 Security Bulletin: CTPView: Multiple Vulnerabilities in CTPView	CONFIRM	kb.juniper.net
ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-2.6-20080814.HIS...	CONFIRM	ftp.porcupine.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Organization	Published	Contributor	Statement
Red Hat	2008-08-19	Joshua Bressers	Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=456347 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

There are currently no legacy QID mappings associated with this CVE.