CVE-2019-11356
Publication date 3 June 2019
Last updated 24 July 2024
Ubuntu priority
The CalDAV feature in httpd in Cyrus IMAP 2.5.x through 2.5.12 and 3.0.x through 3.0.9 allows remote attackers to execute arbitrary code via a crafted HTTP PUT operation for an event with a long iCalendar property name.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| cyrus-imapd | ||
| 20.04 LTS focal |
Fixed 3.0.8-6
|
|
| 18.04 LTS bionic |
Fixed 2.5.10-3ubuntu1.1
|
|
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-4566-1
- Cyrus IMAP Server vulnerabilities
- 5 October 2020
Other references
- https://bugzilla.redhat.com/show_bug.cgi?id=1717828
- https://github.com/cyrusimap/cyrus-imapd/commit/a5779db8163b99463e25e7c476f9cbba438b65f3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGO43JS7IFDNITHXOOHOP6JHRKRDIYY6/
- https://www.cyrusimap.org/imap/download/release-notes/2.5/index.html
- https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.13.html
- https://www.cyrusimap.org/imap/download/release-notes/3.0/index.html
- https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.10.html
- https://www.cve.org/CVERecord?id=CVE-2019-11356