CVE-2019-18928
Publication date 15 November 2019
Last updated 24 July 2024
Ubuntu priority
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| cyrus-imapd | 24.10 oracular |
Fixed 3.0.12-1
|
| 24.04 LTS noble |
Fixed 3.0.12-1
|
|
| 22.04 LTS jammy |
Fixed 3.0.12-1
|
|
| 20.04 LTS focal |
Fixed 3.0.12-1
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |