CVE-2019-11356: The CalDAV feature in httpd in Cyrus IMAP 2.5.x through 2.5.12 and 3.0.x through 3.0.9 allows remote attackers to execute arbitrary code via a crafted HTTP PUT…

critical9.8CVSS 3.1

AVNACLPRNUINSUCHIHAH

The CalDAV feature in httpd in Cyrus IMAP 2.5.x through 2.5.12 and 3.0.x through 3.0.9 allows remote attackers to execute arbitrary code via a crafted HTTP PUT operation for an event with a long iCalendar property name.

Affected

15 ranges

Vendor	Product	Version range	Fixed in
canonical	ubuntu_linux	—	—
cyrus	imap	2.5.0 – 2.5.12	—
cyrus	imap	3.0.0 – 3.0.9	—
debian	cyrus-imapd	< cyrus-imapd 3.0.8-6 (bookworm)	cyrus-imapd 3.0.8-6 (bookworm)
debian	debian_linux	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
redhat	enterprise_linux	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_tus	—	—
redhat	enterprise_linux_server_tus	—	—

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

osv9.8CRITICAL