CVE-2019-18928 — Improper Authentication in Imap

CWE-287 — Improper Authentication10 documents8 sources

Severity

9.8CRITICALNVD

EPSS

0.4%

top 39.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cyrus Imap Debian Linux Fedoraproject Fedora

Timeline

PublishedNov 15

Latest updateJan 22

Description

Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDcyrus/imap2.5.0 — 2.5.14+1

Also affects: Debian Linux 9.0, Fedora 30, 31

Patches

Patch: www.cyrusimap.org ↗Patch: www.cyrusimap.org ↗Patch: www.cyrusimap.org ↗

🔴Vulnerability Details

OSV

cyrus-imapd vulnerabilities↗2025-01-22

▶

GHSA

GHSA-mpmx-j2j3-253q: Cyrus IMAP 2↗2022-05-24

▶

OSV

CVE-2019-18928: Cyrus IMAP 2↗2019-11-15

▶

CVEList

CVE-2019-18928: Cyrus IMAP 2↗2019-11-15

▶

📋Vendor Advisories

Ubuntu

Cyrus IMAP Server vulnerabilities↗2025-01-22

▶

Red Hat

cyrus-imapd: privilege escalation in HTTP request↗2019-11-14

▶

Debian

CVE-2019-18928: cyrus-imapd - Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation...↗2019

▶

💬Community

Bugzilla

CVE-2019-18928 cyrus-imapd: privilege escalation in HTTP request↗2019-11-21

▶

Bugzilla

CVE-2019-18928 cyrus-imapd: privilege escalation in HTTP request [fedora-all]↗2019-11-21

▶