CVE-2021-32056 — Incorrect Permission Assignment in Imap

CWE-732 — Incorrect Permission Assignment CWE-863 — Incorrect Authorization6 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 56.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cyrus Imap Fedoraproject Fedora

Timeline

PublishedMay 10

Latest updateMay 24

Description

Cyrus IMAP before 3.2.7, and 3.3.x and 3.4.x before 3.4.1, allows remote authenticated users to bypass intended access restrictions on server annotations and consequently cause replication to stall.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶NVDcyrus/imap3.3.0 — 3.4.1+1

Also affects: Fedora 34, 35

Patches

Patch: cyrus.topicbox.com ↗Patch: cyrus.topicbox.com ↗Patch: www.cyrusimap.org ↗

🔴Vulnerability Details

GHSA

GHSA-v3j8-2g92-h2q8: Cyrus IMAP before 3↗2022-05-24

▶

OSV

CVE-2021-32056: Cyrus IMAP before 3↗2021-05-10

▶

CVEList

CVE-2021-32056: Cyrus IMAP before 3↗2021-05-10

▶

📋Vendor Advisories

Red Hat

cyrus-imapd: remote authenticated users could bypass intended access restrictions on certain server annotations↗2021-05-10

▶

Debian

CVE-2021-32056: cyrus-imapd - Cyrus IMAP before 3.2.7, and 3.3.x and 3.4.x before 3.4.1, allows remote authent...↗2021

▶