Input validation error in Cyrus IMAP Server

#VU23774 Input validation error in Cyrus IMAP Server

Published: 2019-12-20

Vulnerability identifier: #VU23774

Vulnerability risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19783

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cyrus IMAP Server
Server applications / Other server solutions

Vendor: Carnegie Mellon University

Description

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to insufficient validation of user-supplied input in autosieve_createfolder() function in imap/lmtp_sieve.c. A remote email user can create any mailbox with administrative privileges.

Successful exploitation of the vulnerability requires that the sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x).

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Cyrus IMAP Server: 2.5.0 - 3.1.8

External links
http://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html
http://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Cyrus IMAP Server

Debian update for cyrus-imapd

Privilege escalation in Cyrus IMAP