CVE-2019-11356
Published: 3 June 2019
The CalDAV feature in httpd in Cyrus IMAP 2.5.x through 2.5.12 and 3.0.x through 3.0.9 allows remote attackers to execute arbitrary code via a crafted HTTP PUT operation for an event with a long iCalendar property name.
Priority
Status
Package | Release | Status |
---|---|---|
cyrus-imapd Launchpad, Ubuntu, Debian |
bionic |
Released
(2.5.10-3ubuntu1.1)
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Released
(3.0.8-6)
|
|
focal |
Released
(3.0.8-6)
|
|
groovy |
Released
(3.0.8-6)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(3.0.8-6)
|
|
xenial |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11356
- https://bugzilla.redhat.com/show_bug.cgi?id=1717828
- https://github.com/cyrusimap/cyrus-imapd/commit/a5779db8163b99463e25e7c476f9cbba438b65f3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGO43JS7IFDNITHXOOHOP6JHRKRDIYY6/
- https://www.cyrusimap.org/imap/download/release-notes/2.5/index.html
- https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.13.html
- https://www.cyrusimap.org/imap/download/release-notes/3.0/index.html
- https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.10.html
- https://ubuntu.com/security/notices/USN-4566-1
- NVD
- Launchpad
- Debian