Information disclosure in Postfix

Published: 2008-08-18 | Updated: 2025-06-11

Risk	Low
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2008-2936 CVE-2008-2937
CWE-ID	CWE-62 CWE-200
Exploitation vector	Local
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software	Postfix Server applications / Mail servers
Vendor	Postfix.org

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) UNIX Hard Link

EUVDB-ID: #VU110627

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2008-2936

CWE-ID: CWE-62 - UNIX Hard Link

Exploit availability: Yes

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to an error when following hard links. A local user can append e-mail messages to a file to which a root-owned symlink points, by creating a hard link to this symlink and then send the message.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Postfix: 2.3 - 2.5.3

CPE2.3

External links

https:ftp://ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-2.6-20080814.HISTORY
ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.3.15.HISTORY
ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.4.8.HISTORY
ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.5.4.HISTORY
https://lists.opensuse.org/opensuse-security-announce/2008-08/msg00002.html
https://www.securityfocus.com/bid/30691
https://secunia.com/advisories/31485
https://secunia.com/advisories/31500
https://www.kb.cert.org/vuls/id/938323
https://www.securitytracker.com/id?1020700
https://security.gentoo.org/glsa/glsa-200808-12.xml
https://secunia.com/advisories/31469
https://www.redhat.com/support/errata/RHSA-2008-0839.html
https://article.gmane.org/gmane.mail.postfix.announce/110
https://secunia.com/advisories/31477
https://www.mandriva.com/security/advisories?name=MDVSA-2008:171
https://www.debian.org/security/2008/dsa-1629
https://secunia.com/advisories/31530
https://secunia.com/advisories/31474
https://issues.rpath.com/browse/RPL-2689
https://wiki.rpath.com/Advisories:rPSA-2008-0259
https://securityreason.com/securityalert/4160
https://secunia.com/advisories/32231
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00287.html
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00271.html
https://www.vupen.com/english/advisories/2008/2385
https://exchange.xforce.ibmcloud.com/vulnerabilities/44460
https://www.exploit-db.com/exploits/6337
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10033
https://usn.ubuntu.com/636-1/
https://www.securityfocus.com/archive/1/495882/100/0/threaded
https://www.securityfocus.com/archive/1/495632/100/0/threaded
https://www.securityfocus.com/archive/1/495474/100/0/threaded

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Information disclosure

EUVDB-ID: #VU110628

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2008-2937

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No