CVE-2019-18928
First published: Fri Nov 15 2019(Updated: )
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/cyrus-imapd | 3.2.6-2+deb11u2 3.2.6-2+deb11u4 3.6.1-4+deb12u3 3.6.1-4+deb12u2 3.10.1-1 | |
| Cyrus IMAP Server | >=2.5.0<2.5.14 | |
| Cyrus IMAP Server | >=3.0.0<3.0.12 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.debian.org/debian-lts-announce/2022/06/msg00013.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LAGKPZDXQ6KRUGQVRAO6N4PCINP6KS5F/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PHV3TUU53WCKJ3BBRK2EHAF44MSZEFK6/
- https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.14.html
- https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.12.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHV3TUU53WCKJ3BBRK2EHAF44MSZEFK6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LAGKPZDXQ6KRUGQVRAO6N4PCINP6KS5F/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18928
- https://nvd.nist.gov/vuln/detail/CVE-2019-18928
- https://launchpad.net/bugs/cve/CVE-2019-18928
- https://security-tracker.debian.org/tracker/CVE-2019-18928
- https://ubuntu.com/security/CVE-2019-18928
- https://github.com/cyrusimap/cyrus-imapd/commit/e675bf7b0e9c6e160516d274bffaec6f9dccaef7
Frequently Asked Questions
What is the severity of CVE-2019-18928?
CVE-2019-18928 is classified as a privilege escalation vulnerability.
How do I fix CVE-2019-18928?
To fix CVE-2019-18928, upgrade to Cyrus IMAP version 2.5.14 or 3.0.12 or later.
What versions of Cyrus IMAP are affected by CVE-2019-18928?
CVE-2019-18928 affects Cyrus IMAP versions prior to 2.5.14 and 3.x prior to 3.0.12.
Which operating systems are vulnerable to CVE-2019-18928?
CVE-2019-18928 affects systems running vulnerable versions of Cyrus IMAP on Debian and Fedora.
Is CVE-2019-18928 remotely exploitable?
Yes, CVE-2019-18928 can potentially be exploited remotely due to its nature of handling HTTP requests.
- agent/remedy
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/first-publish-date
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- agent/author
- collector/launchpad-cve
- source/Launchpad
- agent/source
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/debian
- vendor/cyrus
- canonical/cyrus imap server
- version/cyrus imap server/2.5.0
- version/cyrus imap server/3.0.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0