CVE-2010-1637

The Mail Fetch plugin in SquirrelMail 1.4.20 and earlier allows remote authenticated users to bypass firewall restrictions and use SquirrelMail as a proxy to scan internal networks via a modified POP3 port number.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://conference.hitb.org/hitbsecconf2010dxb/materials/D1%20-%20Laurent%20Oudot%20-%20Improving%20the%20Stealthiness%20of%20Web%20Hacking.pdf#page=69	Broken Link
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html	Mailing List
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043239.html	Mailing List
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043258.html	Mailing List
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043261.html	Mailing List
http://rhn.redhat.com/errata/RHSA-2012-0103.html	Third Party Advisory
http://secunia.com/advisories/40307	Broken Link
http://squirrelmail.org/security/issue/2010-06-21	Patch Vendor Advisory
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/plugins/mail_fetch/functions.php?r1=13951&r2=13950&pathrev=13951	Product
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/plugins/mail_fetch/options.php?r1=13951&r2=13950&pathrev=13951	Patch
http://support.apple.com/kb/HT5130	Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2010:120	Broken Link
http://www.openwall.com/lists/oss-security/2010/05/25/3	Mailing List
http://www.openwall.com/lists/oss-security/2010/05/25/9	Mailing List
http://www.openwall.com/lists/oss-security/2010/06/21/1	Mailing List Patch
http://www.securityfocus.com/bid/40291	Broken Link Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/40307	Broken Link Third Party Advisory VDB Entry
http://www.vupen.com/english/advisories/2010/1535	Broken Link
http://www.vupen.com/english/advisories/2010/1536	Broken Link
http://www.vupen.com/english/advisories/2010/1554	Broken Link

Configurations

Configuration 1 (hide)

cpe:2.3:a:squirrelmail:squirrelmail:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:11:::::::*
	cpe:2.3:o:fedoraproject:fedora:12:::::::*
	cpe:2.3:o:fedoraproject:fedora:13:::::::*

Configuration 3 (hide)

OR	cpe:2.3:o:apple:mac_os_x::::::::
	cpe:2.3:o:apple:mac_os_x_server::::::::

Configuration 4 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*

History

08 Feb 2024, 19:56

Information

Published : 2010-06-22 17:30

Updated : 2024-02-08 19:56

NVD link : CVE-2010-1637

Mitre link : CVE-2010-1637

CVE.ORG link : CVE-2010-1637

JSON object : View

Products Affected

redhat

enterprise_linux_desktop
enterprise_linux_server
enterprise_linux_workstation

apple

mac_os_x_server
mac_os_x

squirrelmail

squirrelmail

fedoraproject

fedora

CWE

CWE-918

Server-Side Request Forgery (SSRF)

Type	Values Removed	Values Added
CPE	cpe:2.3:a:squirrelmail:squirrelmail:1.2.6:rc1:::::: cpe:2.3:a:squirrelmail:squirrelmail:1.0.6:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.9a:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:r3:::::: cpe:2.3:a:squirrelmail:squirrelmail:0.4pre2:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.12:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.2.9:::::::* cpe:2.3:a:squirrelmail:squirrelmail:0.3:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.6:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r1:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.5:rc1:::::: cpe:2.3:a:squirrelmail:squirrelmail:0.2:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.7:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.2.4:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.4_rc1:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.2.7:::::::* cpe:2.3:a:squirrelmail:squirrelmail:0.1:::::::* cpe:2.3:a:squirrelmail:squirrelmail:0.2.1:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:::::::* cpe:2.3:a:squirrelmail:squirrelmail:0.5:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.1.2:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.0pre1:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.1.0:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:rc1:::::: cpe:2.3:a:squirrelmail:squirrelmail:1.0pre2:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.44:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r2:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.3aa:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.13:::::::* cpe:2.3:a:squirrelmail:squirrelmail:0.4:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:rc1:::::: cpe:2.3:a:squirrelmail:squirrelmail:1.2.8:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.3a:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.10:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.0.3:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.8.4fc6:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.6:rc1:::::: cpe:2.3:a:squirrelmail:squirrelmail:0.5pre2:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.0.1:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.2.5:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r4:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.0.5:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.2.6:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.3.2:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.9:::::::* cpe:2.3:a:squirrelmail:squirrelmail:0.3.1:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r5:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.0.2:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.5:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.2:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.2.11:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.17:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.2.0:rc3:::::: cpe:2.3:a:squirrelmail:squirrelmail:0.1.1:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:rc2a:::::: cpe:2.3:a:squirrelmail:squirrelmail:1.0pre3:::::::* cpe:2.3:a:squirrelmail:squirrelmail:0.5pre1:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4:rc1:::::: cpe:2.3:a:squirrelmail:squirrelmail:1.3.0:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:rc1:::::: cpe:2.3:a:squirrelmail:squirrelmail:1.0:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r3:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.3.1:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.4:rc1:::::: cpe:2.3:a:squirrelmail:squirrelmail:0.1.2:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.18:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.1.1:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.1:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.16:::::::* cpe:2.3:a:squirrelmail:squirrelmail:0.3pre1:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.2.1:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.2.2:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.2.3:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.2:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.0.4:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.4:::::::* cpe:2.3:a:squirrelmail:squirrelmail:0.4pre1:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.10a:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.2.0:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.11:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.0-r1:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.8:::::::* cpe:2.3:a:squirrelmail:squirrelmail:0.3pre2:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.4.19:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.1.3:::::::* cpe:2.3:a:squirrelmail:squirrelmail:1.2.10:::::::*	cpe:2.3:o:apple:mac_os_x_server:::::::: cpe:2.3:o:fedoraproject:fedora:12:::::::* cpe:2.3:o:fedoraproject:fedora:11:::::::* cpe:2.3:o:apple:mac_os_x:::::::: cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::* cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::* cpe:2.3:o:fedoraproject:fedora:13:::::::* cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*
References	~~() http://conference.hitb.org/hitbsecconf2010dxb/materials/D1%20-%20Laurent%20Oudot%20-%20Improving%20the%20Stealthiness%20of%20Web%20Hacking.pdf#page=69 -~~	() http://conference.hitb.org/hitbsecconf2010dxb/materials/D1%20-%20Laurent%20Oudot%20-%20Improving%20the%20Stealthiness%20of%20Web%20Hacking.pdf#page=69 - Broken Link
References	~~() http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html -~~	() http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html - Mailing List
References	~~() http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043239.html -~~	() http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043239.html - Mailing List
References	~~() http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043258.html -~~	() http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043258.html - Mailing List
References	~~() http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043261.html -~~	() http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043261.html - Mailing List
References	~~() http://rhn.redhat.com/errata/RHSA-2012-0103.html -~~	() http://rhn.redhat.com/errata/RHSA-2012-0103.html - Third Party Advisory
References	~~() http://secunia.com/advisories/40307 -~~	() http://secunia.com/advisories/40307 - Broken Link
References	~~() http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/plugins/mail_fetch/functions.php?r1=13951&r2=13950&pathrev=13951 -~~	() http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/plugins/mail_fetch/functions.php?r1=13951&r2=13950&pathrev=13951 - Product
References	~~() http://support.apple.com/kb/HT5130 -~~	() http://support.apple.com/kb/HT5130 - Third Party Advisory
References	~~() http://www.mandriva.com/security/advisories?name=MDVSA-2010:120 -~~	() http://www.mandriva.com/security/advisories?name=MDVSA-2010:120 - Broken Link
References	~~() http://www.openwall.com/lists/oss-security/2010/05/25/3 -~~	() http://www.openwall.com/lists/oss-security/2010/05/25/3 - Mailing List
References	~~() http://www.openwall.com/lists/oss-security/2010/05/25/9 -~~	() http://www.openwall.com/lists/oss-security/2010/05/25/9 - Mailing List
References	~~() http://www.openwall.com/lists/oss-security/2010/06/21/1 - Patch~~	() http://www.openwall.com/lists/oss-security/2010/06/21/1 - Mailing List, Patch
References	~~() http://www.securityfocus.com/bid/40291 -~~	() http://www.securityfocus.com/bid/40291 - Broken Link, Third Party Advisory, VDB Entry
References	~~() http://www.securityfocus.com/bid/40307 -~~	() http://www.securityfocus.com/bid/40307 - Broken Link, Third Party Advisory, VDB Entry
References	~~() http://www.vupen.com/english/advisories/2010/1535 -~~	() http://www.vupen.com/english/advisories/2010/1535 - Broken Link
References	~~() http://www.vupen.com/english/advisories/2010/1536 -~~	() http://www.vupen.com/english/advisories/2010/1536 - Broken Link
References	~~() http://www.vupen.com/english/advisories/2010/1554 -~~	() http://www.vupen.com/english/advisories/2010/1554 - Broken Link
CWE	~~CWE-264~~	CWE-918
CVSS	v2 : ~~4.0~~ v3 : ~~unknown~~	v2 : 4.0 v3 : 6.5
First Time		Apple mac Os X Server Redhat Redhat enterprise Linux Server Apple mac Os X Redhat enterprise Linux Desktop Fedoraproject fedora Fedoraproject Apple Redhat enterprise Linux Workstation

6.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2010-1637

6.5^/10

4.0^/10

Attach tags to `CVE-2010-1637`