CVE-2019-18928

moderate-risk
Published 2019-11-15

Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.

Do I need to act?

-
0.39% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 8bec158a9339eb6b9c4812b8339cb4d442e543ac, 1b3505c9d82118535791ac7c66519865f51d02f4
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (4)

Imap

Affected Vendors

Debian Cyrus Fedoraproject

References (10)

Mailing List https://lists.debian.org/debian-lts-announce/2022/06/msg00013.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Patch https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.14.html
Patch https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.12.html
Mailing List https://lists.debian.org/debian-lts-announce/2022/06/msg00013.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Patch https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.14.html
Patch https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.12.html
43
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 1/34 · Minimal
Exposure 10/34 · Low