Name | CVE-2019-18928 |
Description | Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-3052-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
cyrus-imapd (PTS) | stretch (security), stretch (lts), stretch | 2.5.10-3+deb9u3 | fixed |
| buster, buster (lts) | 3.0.8-6+deb10u7 | fixed |
| buster (security) | 3.0.8-6+deb10u3 | fixed |
| bullseye | 3.2.6-2+deb11u2 | fixed |
| bullseye (security) | 3.2.6-2+deb11u4 | fixed |
| bookworm | 3.6.1-4+deb12u3 | fixed |
| bookworm (security) | 3.6.1-4+deb12u2 | fixed |
| sid | 3.10.0-1 | fixed |
The information below is based on the following data on fixed versions.
Notes
https://github.com/cyrusimap/cyrus-imapd/commit/e675bf7b0e9c6e160516d274bffaec6f9dccaef7 (cyrus-imapd-3.0.12)
Fixed in 3.0.12 and 2.5.14 upstream