CVE-2019-18928 - Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP req

CVE-2019-18928

Summary

Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.

References

Vulnerable Configurations

cpe:2.3:a:cyrus:imap:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.2:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.2:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.3:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.3:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.4:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.4:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.5:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.5:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.6:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.6:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.7:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.7:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.8:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.8:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.9:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.9:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.10:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.10:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.11:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.11:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.12:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.12:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.13:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:2.5.13:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:-:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:-:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:beta5:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:beta5:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:beta6:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:beta6:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:rc4:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.0:rc4:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.2:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.2:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.3:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.3:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.4:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.4:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.5:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.5:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.6:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.6:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.7:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.7:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.8:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.8:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.9:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.9:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.10:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.10:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.11:*:*:*:*:*:*:*
cpe:2.3:a:cyrus:imap:3.0.11:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 10-02-2023 - 03:06)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

redhat via4

rpms

cyrus-imapd-0:3.0.7-19.el8
cyrus-imapd-debuginfo-0:3.0.7-19.el8
cyrus-imapd-debugsource-0:3.0.7-19.el8
cyrus-imapd-utils-0:3.0.7-19.el8
cyrus-imapd-utils-debuginfo-0:3.0.7-19.el8
cyrus-imapd-vzic-0:3.0.7-19.el8
cyrus-imapd-vzic-debuginfo-0:3.0.7-19.el8

refmap via4

fedora	FEDORA-2019-03be160f9c FEDORA-2019-393e1cef4d
misc	https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.14.html https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.12.html

Last major update

10-02-2023 - 03:06

Published

15-11-2019 - 04:15

Last modified

10-02-2023 - 03:06