CVE-2008-4577

Name: CVE-2008-4577
Creator: NVD / NIST
Published: 2008-10-15T20:08:02.67+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 2.33%

Last modified Jun 16, 2026

CVE-2008-4577 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.. EPSS estimates a 2.33% chance of exploitation in the next 30 days.

Description

The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

2.33%

81.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-863

Affected Software

Vendor	Product	Versions
Dovecot	Dovecot	< 1.1.4
Fedoraproject	Fedora	8
Fedoraproject	Fedora	9
Opensuse	Opensuse	10.3-11.1
Canonical	Ubuntu Linux	8.04
Canonical	Ubuntu Linux	8.10
Canonical	Ubuntu Linux	9.04

References

http://bugs.gentoo.org/show_bug.cgi?id=240409Issue Tracking
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlMailing List
http://secunia.com/advisories/32164Broken Link, Vendor Advisory
http://secunia.com/advisories/32471Broken Link
http://secunia.com/advisories/33149Broken Link
http://secunia.com/advisories/33624Broken Link
http://secunia.com/advisories/36904Broken Link
http://security.gentoo.org/glsa/glsa-200812-16.xmlThird Party Advisory
http://www.dovecot.org/list/dovecot-news/2008-October/000085.htmlMailing List, Release Notes
http://www.mandriva.com/security/advisories?name=MDVSA-2008:232Broken Link
http://www.redhat.com/support/errata/RHSA-2009-0205.htmlBroken Link
http://www.securityfocus.com/bid/31587Broken Link, Third Party Advisory, VDB Entry
http://www.ubuntu.com/usn/USN-838-1Third Party Advisory
http://www.vupen.com/english/advisories/2008/2745Permissions Required
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376Broken Link
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.htmlMailing List
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.htmlMailing List
http://bugs.gentoo.org/show_bug.cgi?id=240409Issue Tracking
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlMailing List
http://secunia.com/advisories/32164Broken Link, Vendor Advisory
http://secunia.com/advisories/32471Broken Link
http://secunia.com/advisories/33149Broken Link
http://secunia.com/advisories/33624Broken Link
http://secunia.com/advisories/36904Broken Link
http://security.gentoo.org/glsa/glsa-200812-16.xmlThird Party Advisory
http://www.dovecot.org/list/dovecot-news/2008-October/000085.htmlMailing List, Release Notes
http://www.mandriva.com/security/advisories?name=MDVSA-2008:232Broken Link
http://www.redhat.com/support/errata/RHSA-2009-0205.htmlBroken Link
http://www.securityfocus.com/bid/31587Broken Link, Third Party Advisory, VDB Entry
http://www.ubuntu.com/usn/USN-838-1Third Party Advisory
http://www.vupen.com/english/advisories/2008/2745Permissions Required
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10376Broken Link
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00816.htmlMailing List
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00844.htmlMailing List

Timeline

Published: Oct 15, 2008
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2008-4577?

The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.

How severe is CVE-2008-4577?

CVE-2008-4577 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 2.33% probability of exploitation in the next 30 days.

How do I fix CVE-2008-4577?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2008-4577?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST