Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-19783

An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c.

Published

2019-12-16T14:15:12.257

Last Modified

2024-11-21T04:35:22.613

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

6.8

Impact Score

2.9

Weaknesses

Type: Primary
CWE-269

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	cyrus	imap	< 2.5.15	Yes
Application	cyrus	imap	< 3.0.13	Yes
Application	cyrus	imap	< 3.1.8	Yes
Operating System	debian	debian_linux	9.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	fedoraproject	fedora	30	Yes
Operating System	fedoraproject	fedora	31	Yes
Operating System	canonical	ubuntu_linux	18.04	Yes

References

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DIV4HQ6LG5GPRO4B5Z2NHCZUPBUVVVF/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IGOO5UGEBBDPN7B2YXLK7I7L3Y35EBA/ ([email protected])
https://seclists.org/bugtraq/2019/Dec/38 Mailing List, Third Party Advisory ([email protected])
https://security.gentoo.org/glsa/202006-23 Third Party Advisory ([email protected])
https://usn.ubuntu.com/4566-1/ Third Party Advisory ([email protected])
https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html Patch, Release Notes, Vendor Advisory ([email protected])
https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html Patch, Release Notes, Vendor Advisory ([email protected])
https://www.debian.org/security/2019/dsa-4590 Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DIV4HQ6LG5GPRO4B5Z2NHCZUPBUVVVF/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IGOO5UGEBBDPN7B2YXLK7I7L3Y35EBA/ (af854a3a-2127-422b-91ae-364da2661108)
https://seclists.org/bugtraq/2019/Dec/38 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202006-23 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/4566-1/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html Patch, Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html Patch, Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2019/dsa-4590 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)