CVE-2024-35179

May 15, 2024, 4:40 p.m.

Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Stalwart Mail Server

  • before 0.8.0

Source

security-advisories@github.com

Tags

CVE-2024-35179 details

Published : May 15, 2024, 4:15 p.m.
Last Modified : May 15, 2024, 4:40 p.m.

Description

Stalwart Mail Server is an open-source mail server. Prior to version 0.8.0, when using `RUN_AS_USER`, the specified user (and therefore, web interface admins) can read arbitrary files as root. This issue affects admins who have set up to run stalwart with `RUN_AS_USER` who handed out admin credentials to the mail server but expect these to only grant access according to the `RUN_AS_USER` and are attacked where the attackers managed to achieve Arbitrary Code Execution using another vulnerability. Version 0.8.0 contains a patch for the issue.

CVSS Score

1 2 3 4 5 6.8 7 8 9 10

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

Base Score

6.8

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

This website uses the NVD API, but is not approved or certified by it.