CVE-2019-19783

Published: 16 December 2019

An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c.

Priority

Medium

CVSS 3 base score: 6.5

Status

Package Release Status
cyrus-imapd
Launchpad, Ubuntu, Debian
Upstream
Released (3.0.13-1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(3.0.13-2ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(3.0.13-2ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.5.10-3ubuntu1.1)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist