CVE-2019-18928
published 2019-11-15CVE-2019-18928: Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an…
PriorityP354critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.39%
81.9th percentile
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cyrus | imap | >= 2.5.0 < 2.5.14 | 2.5.14 |
| cyrus | imap | >= 3.0.0 < 3.0.12 | 3.0.12 |
| debian | cyrus-imapd | < cyrus-imapd 3.0.12-1 (bookworm) | cyrus-imapd 3.0.12-1 (bookworm) |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
cyrus-imapd vulnerabilities
osv·2025-01-22·CVSS 9.8
CVE-2019-18928 [CRITICAL] cyrus-imapd vulnerabilities
cyrus-imapd vulnerabilities
It was discovered that non-authentication-related HTTP requests could be
interpreted in an authentication context by a Cyrus IMAP Server when
multiple requests arrived over the same connection. An unauthenticated
attacker could possibly use this issue to perform a privilege escalation
attack. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-18928)
Matthew Horsfall discovered that Cyrus IMAP Server utilized a poor string
hashing algorithm that could be abused to control where data was being
stored. An attacker could possibly use this issue to perform a denial of
service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2021-33582)
Damian Poddebniak discovered that Cyrus IMAP Server could interpret
specially crafted commands to exploit a
GHSA
GHSA-mpmx-j2j3-253q: Cyrus IMAP 2
ghsa_unreviewed·2022-05-24
CVE-2019-18928 [HIGH] GHSA-mpmx-j2j3-253q: Cyrus IMAP 2
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.
OSV
CVE-2019-18928: Cyrus IMAP 2
osv·2019-11-15·CVSS 9.8
CVE-2019-18928 [CRITICAL] CVE-2019-18928: Cyrus IMAP 2
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.
Ubuntu
Cyrus IMAP Server vulnerabilities
vendor_ubuntu·2025-01-22·CVSS 9.8
CVE-2024-34055 [CRITICAL] Cyrus IMAP Server vulnerabilities
Title: Cyrus IMAP Server vulnerabilities
Summary: Several security issues were fixed in Cyrus IMAP Server.
It was discovered that non-authentication-related HTTP requests could be
interpreted in an authentication context by a Cyrus IMAP Server when
multiple requests arrived over the same connection. An unauthenticated
attacker could possibly use this issue to perform a privilege escalation
attack. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-18928)
Matthew Horsfall discovered that Cyrus IMAP Server utilized a poor string
hashing algorithm that could be abused to control where data was being
stored. An attacker could possibly use this issue to perform a denial of
service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2021-33582)
Damian Poddebniak discovere
Red Hat
cyrus-imapd: privilege escalation in HTTP request
vendor_redhat·2019-11-14·CVSS 9.8
CVE-2019-18928 [CRITICAL] CWE-287 cyrus-imapd: privilege escalation in HTTP request
cyrus-imapd: privilege escalation in HTTP request
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.
Statement: If HTTP is enabled (e.g. RSS, CalDAV), cyrus-imapd does not properly authenticate a HTTP request coming through a connection that has been previously authenticated. Usually, this is not a problem, as each user will have their own connection and a breach of security boundaries would not be possible. An exception to this rule is if the cyrus-imapd HTTP service is behind a proxy, for example a reverse caching proxy, and said proxy reuses the same connection to cyrus-imapd for multiple requests.
Package: cyru
Debian
CVE-2019-18928: cyrus-imapd - Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation...
vendor_debian·2019·CVSS 9.8
CVE-2019-18928 [CRITICAL] CVE-2019-18928: cyrus-imapd - Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation...
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.
Scope: local
bookworm: resolved (fixed in 3.0.12-1)
bullseye: resolved (fixed in 3.0.12-1)
forky: resolved (fixed in 3.0.12-1)
sid: resolved (fixed in 3.0.12-1)
trixie: resolved (fixed in 3.0.12-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-18928 cyrus-imapd: privilege escalation in HTTP request
bugzilla·2019-11-21·CVSS 9.8
CVE-2019-18928 [CRITICAL] CVE-2019-18928 cyrus-imapd: privilege escalation in HTTP request
CVE-2019-18928 cyrus-imapd: privilege escalation in HTTP request
A vulnerability was found in Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.
Reference:
https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.14.html
https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.12.html
Discussion:
Created cyrus-imapd tracking bugs for this issue:
Affects: fedora-all [bug 1775179]
---
External References:
https://github.com/cyrusimap/cyrus-imapd/issues/2904
---
Statement:
If HTTP is enabled (e.g. RSS, CalDAV), cyrus-imapd does not properly authenticate a HTTP request coming through a connection
Bugzilla
CVE-2019-18928 cyrus-imapd: privilege escalation in HTTP request [fedora-all]
bugzilla·2019-11-21·CVSS 9.8
CVE-2019-18928 [CRITICAL] CVE-2019-18928 cyrus-imapd: privilege escalation in HTTP request [fedora-all]
CVE-2019-18928 cyrus-imapd: privilege escalation in HTTP request [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions
https://lists.debian.org/debian-lts-announce/2022/06/msg00013.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LAGKPZDXQ6KRUGQVRAO6N4PCINP6KS5F/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHV3TUU53WCKJ3BBRK2EHAF44MSZEFK6/https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.14.htmlhttps://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.12.htmlhttps://lists.debian.org/debian-lts-announce/2022/06/msg00013.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LAGKPZDXQ6KRUGQVRAO6N4PCINP6KS5F/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHV3TUU53WCKJ3BBRK2EHAF44MSZEFK6/https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.14.htmlhttps://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.12.html
2019-11-15
Published