#VU110628 Information disclosure in Postfix - CVE-2008-2937

Cybersecurity Help s.r.o.

Published: 2025-06-08

Vulnerability identifier: #VU110628

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2008-2937

CWE-ID: CWE-200

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Postfix
Server applications / Mail servers

Vendor: Postfix.org

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to software delivers to a mailbox file even when this file is not owned by the recipient. A local user can read e-mail messages by creating a mailbox file corresponding to another user's account name.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Postfix: 2.5.0, 2.5.1, 2.5.2, 2.5.3

External links
https:httpftp://ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-2.6-20080814.HISTORY
ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.5.4.HISTORY
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
https://lists.opensuse.org/opensuse-security-announce/2008-08/msg00002.html
https://secunia.com/advisories/31477
https://secunia.com/advisories/31485
https://secunia.com/advisories/31500
https://secunia.com/advisories/32231
https://security.gentoo.org/glsa/glsa-200808-12.xml
https://wiki.rpath.com/Advisories:rPSA-2008-0259
https://www.mandriva.com/security/advisories?name=MDVSA-2009:224
https://www.redhat.com/support/errata/RHSA-2011-0422.html
https://www.securityfocus.com/archive/1/495632/100/0/threaded
https://www.securityfocus.com/bid/30691
https://www.vupen.com/english/advisories/2008/2385
https://exchange.xforce.ibmcloud.com/vulnerabilities/44461
https://issues.rpath.com/browse/RPL-2689
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00271.html
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00287.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Postfix