CVE-2013-6171
EPSS 0.24%
Description
checkpassword-reply in Dovecot before 2.2.7 performs setuid operations to a user who is authenticating, which allows local users to bypass authentication and access virtual email accounts by attaching to the process and using a restricted file descriptor to modify account information in the response to the dovecot-auth server.
How to fix CVE-2013-6171
To remediate CVE-2013-6171, upgrade the affected package to a fixed version below.
- Debian/dovecot—upgrade to 1:2.2.9-1 or later
Is CVE-2013-6171 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1:2.2.9-1