Medium severity5.5NVD Advisory· Published Nov 24, 2009· Updated Apr 23, 2026

CVE-2009-3897

Description

Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself.

Affected products

Dovecot (software)/Dovecot
cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
Range: >=1.2.0,<1.2.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

marc.infonvdMailing ListPatch
marc.infonvdMailing ListPatch
www.dovecot.org/list/dovecot-news/2009-November/000143.htmlnvdMailing ListPatchVendor Advisory
www.securityfocus.com/bid/37084nvdBroken LinkPatchThird Party AdvisoryVDB Entry
www.vupen.com/english/advisories/2009/3306nvdPatchPermissions RequiredVendor Advisory
secunia.com/advisories/37443nvdBroken LinkVendor Advisory
exchange.xforce.ibmcloud.com/vulnerabilities/54363nvdThird Party AdvisoryVDB Entry
lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.htmlnvdMailing List
marc.infonvdMailing List
marc.infonvdMailing List
www.mandriva.com/security/advisoriesnvdNot Applicable
www.osvdb.org/60316nvdBroken Link

News mentions

No linked articles in our index yet.

cvss	0.358
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000