cbcvebase.
CVE-2019-18928
published 2019-11-15

CVE-2019-18928: Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an…

PriorityP354critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.39%
81.9th percentile
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.

Affected

6 ranges
VendorProductVersion rangeFixed in
cyrusimap>= 2.5.0 < 2.5.142.5.14
cyrusimap>= 3.0.0 < 3.0.123.0.12
debiancyrus-imapd< cyrus-imapd 3.0.12-1 (bookworm)cyrus-imapd 3.0.12-1 (bookworm)
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.