CVE-2018-19518
high-risk
Published 2018-11-25
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.
Do I need to act?
!
93.9% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ HIGH complexity
Affected Products (7)
Affected Vendors
References (40)
Broken Link
http://www.securityfocus.com/bid/106018
Broken Link
http://www.securitytracker.com/id/1042157
Mailing List
https://bugs.debian.org/913775
Mailing List
https://bugs.debian.org/913835
Mailing List
https://bugs.debian.org/913836
Vendor Advisory
https://bugs.php.net/bug.php?id=77160
Third Party Advisory
https://security.gentoo.org/glsa/202003-57
Third Party Advisory
https://security.netapp.com/advisory/ntap-20181221-0004/
Third Party Advisory
https://usn.ubuntu.com/4160-1/
Third Party Advisory
https://www.debian.org/security/2018/dsa-4353
and 20 more references
63
/ 100
high-risk
Severity
22/34 · High
Exploitability
27/34 · High
Exposure
14/34 · Moderate