CVE-2004-1013

6 documents6 sources

Severity

10.0CRITICAL

EPSS

10.2%

top 6.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Carnegie Mellon University Cyrus Imap Server Conectiva Linux Openpkg Openpkg +3 more

Timeline

PublishedJan 10

Latest updateApr 29

Description

The argument parser of the FETCH command in Cyrus IMAP Server 2.2.x through 2.2.8 allows remote authenticated users to execute arbitrary code via certain commands such as (1) "body[p", (2) "binary[p", or (3) "binary[p") that cause an index increment error that leads to an out-of-bounds memory corruption.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages6 packages

▶NVDcarnegie_mellon_university/cyrus_imap_server13 versions+12

▶Debiancyrus-imapd< 1.5.19-20+3

▶NVDconectiva/linux10.0, 9.0+1

▶NVDopenpkg/openpkgcurrent

▶NVDredhat/fedora_corecore_2.0, core_3.0+1

Also affects: Ubuntu Linux 4.1

Patches

Patch: www.debian.org ↗Patch: www.debian.org ↗

🔴Vulnerability Details

GHSA

GHSA-p9j6-5f4r-fcwc: The argument parser of the FETCH command in Cyrus IMAP Server 2↗2022-04-29

▶

OSV

CVE-2004-1013: The argument parser of the FETCH command in Cyrus IMAP Server 2↗2005-01-10

▶

CVEList

CVE-2004-1013: The argument parser of the FETCH command in Cyrus IMAP Server 2↗2004-12-01

▶

📋Vendor Advisories

Ubuntu

cyrus21-imapd vulnerabilities↗2004-11-24

▶

Debian

CVE-2004-1013: cyrus-imapd - The argument parser of the FETCH command in Cyrus IMAP Server 2.2.x through 2.2....↗2004

▶