CVE-2019-11356

high-risk

Published 2019-06-03

The CalDAV feature in httpd in Cyrus IMAP 2.5.x through 2.5.12 and 3.0.x through 3.0.9 allows remote attackers to execute arbitrary code via a crafted HTTP PUT operation for an event with a long iCalendar property name.

Do I need to act?

28.2% chance of exploitation in next 30 days

EPSS score — higher than 72% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (13)

Imap

Fedora

Debian Linux

Ubuntu Linux

Enterprise Linux

Enterprise Linux Eus

Enterprise Linux Server Aus

Enterprise Linux Server Tus

Affected Vendors

Debian Redhat Cyrus Canonical Fedoraproject

References (20)

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:1771

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Mailing List https://seclists.org/bugtraq/2019/Jun/9

Third Party Advisory https://usn.ubuntu.com/4566-1/

Release Notes https://www.cyrusimap.org/imap/download/release-notes/2.5/index.html

Release Notes https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.13.html

Release Notes https://www.cyrusimap.org/imap/download/release-notes/3.0/index.html

Release Notes https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.10.html

Third Party Advisory https://www.debian.org/security/2019/dsa-4458