This security advisory describes one medium risk vulnerability.
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in a crafted HTTP PUT operation for an event with a long iCalendar property name. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.Mitigation
Update the affected package to version: 2.5.10-3+deb9u1.Vulnerable software versions
cyrus-imapd (Debian package): 2.5.7-0+exp1, 2.5.7-0+exp2, 2.5.7-0+exp3, 2.5.7-0+exp4, 2.5.7-1, 2.5.8-1, 2.5.9-1, 2.5.9-2, 2.5.10-1, 2.5.10-2, 2.5.10-3CPE
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.