VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 11, 2003· Updated Apr 16, 2026

CVE-2002-1414

CVE-2002-1414

Description

Local privilege escalation vulnerability in qmailadmin due to a buffer overflow in the QMAILADMIN_TEMPLATEDIR environment variable.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Local privilege escalation vulnerability in qmailadmin due to a buffer overflow in the QMAILADMIN_TEMPLATEDIR environment variable.

Vulnerability

A buffer overflow vulnerability exists in the qmailadmin utility, specifically when processing the QMAILADMIN_TEMPLATEDIR environment variable. This issue affects qmailadmin versions prior to 1.0.x. The vulnerability arises from inadequate bounds checking when handling this environment variable, potentially allowing for a buffer overrun. The vulnerability is exploitable by local users [1].

Exploitation

An attacker with local access can exploit this vulnerability by crafting a long string for the QMAILADMIN_TEMPLATEDIR environment variable. This string will contain shellcode and padding designed to overwrite the buffer. The setenv function is used to set this variable, and then execlp is used to execute the qmailadmin binary, triggering the overflow and executing the shellcode [1].

Impact

Successful exploitation of this vulnerability allows a local attacker to gain elevated privileges. If qmailadmin is installed setuid root, the attacker can achieve root privileges. In other configurations, the attacker can gain the privileges of the user running qmailadmin, which is often vpopmail or a similar user [1].

Mitigation

No specific patched version or release date for a fix is available in the provided references. Users are advised to check for updated versions of qmailadmin or consult vendor advisories. There are no workarounds mentioned in the available references, and the vulnerability is not listed as being actively exploited in the wild [1].

References
  1. qmailadmin 1.0.x - Local Buffer Overflow

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

7
  • Double Precision Incorporated/Qmailadmin7 versions
    cpe:2.3:a:inter7:qmailadmin:1.0:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:a:inter7:qmailadmin:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:inter7:qmailadmin:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:inter7:qmailadmin:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:inter7:qmailadmin:1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:inter7:qmailadmin:1.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:inter7:qmailadmin:1.0.5:*:*:*:*:*:*:*
    • (no CPE)

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

5

News mentions

0

No linked articles in our index yet.