CVE-2019-18928

Published: Nov 15, 2019Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.

Affected (5)

Products: Cyrus: Imap · Fedoraproject: Fedora · Debian: Debian Linux

1 product

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Cyrus Imap	From 2.5.0 to 2.5.14
Cyrus Imap	From 3.0.0 to 3.0.12

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 30
Fedoraproject Fedora	Version 31

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 9.0

References (10)

https://lists.debian.org/debian-lts-announce/2022/06/msg00013.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LAGKPZDXQ6KRUGQVRAO6N4PCINP6KS5F/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHV3TUU53WCKJ3BBRK2EHAF44MSZEFK6/

Source: cve@mitre.org

https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.14.html

Source: cve@mitre.org

PatchRelease NotesThird Party Advisory

https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.12.html

Source: cve@mitre.org

PatchRelease NotesThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/06/msg00013.html