#VU23774 Input validation error in Cyrus IMAP Server - CVE-2019-19783

Cybersecurity Help s.r.o.

Published: 2019-12-20

Vulnerability identifier: #VU23774

Vulnerability risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-19783

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cyrus IMAP Server
Server applications / Other server solutions

Vendor: Carnegie Mellon University

Description

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to insufficient validation of user-supplied input in autosieve_createfolder() function in imap/lmtp_sieve.c. A remote email user can create any mailbox with administrative privileges.

Successful exploitation of the vulnerability requires that the sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x).

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Cyrus IMAP Server: 2.5.0 - 3.1.8

External links
https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html
https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for cyrus-imapd

Gentoo update for Cyrus IMAP Server

Debian update for cyrus-imapd

Privilege escalation in Cyrus IMAP

Fedora 30 update for cyrus-imapd

Fedora 31 update for cyrus-imapd