ID CVE-2019-11356
Summary The CalDAV feature in httpd in Cyrus IMAP 2.5.x through 2.5.12 and 3.0.x through 3.0.9 allows remote attackers to execute arbitrary code via a crafted HTTP PUT operation for an event with a long iCalendar property name.
References
Vulnerable Configurations
  • cpe:2.3:a:cyrus:imap:3.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.0:beta4:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.0:beta4:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.0:beta5:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.0:beta5:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.0:beta6:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.0:beta6:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:3.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:3.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:2.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:2.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:2.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:2.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:2.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:2.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:2.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:2.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:2.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:2.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:2.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:2.5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:2.5.6:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:2.5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:2.5.7:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:2.5.7:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:2.5.8:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:2.5.8:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:2.5.9:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:2.5.9:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:2.5.10:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:2.5.10:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:2.5.11:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:2.5.11:*:*:*:*:*:*:*
  • cpe:2.3:a:cyrus:imap:2.5.12:*:*:*:*:*:*:*
    cpe:2.3:a:cyrus:imap:2.5.12:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 03-05-2022 - 14:27)
Impact:
Exploitability:
CWE CWE-787
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
bugzilla
id 1717828
title CVE-2019-11356 cyrus-imapd: buffer overflow in CalDAV request handling triggered by a long iCalendar property name
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 8 is installed
      oval oval:com.redhat.rhba:tst:20193384074
    • OR
      • AND
        • comment cyrus-imapd is earlier than 0:3.0.7-15.el8_0.1
          oval oval:com.redhat.rhsa:tst:20191771001
        • comment cyrus-imapd is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110859024
      • AND
        • comment cyrus-imapd-debugsource is earlier than 0:3.0.7-15.el8_0.1
          oval oval:com.redhat.rhsa:tst:20191771003
        • comment cyrus-imapd-debugsource is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20191771004
      • AND
        • comment cyrus-imapd-utils is earlier than 0:3.0.7-15.el8_0.1
          oval oval:com.redhat.rhsa:tst:20191771005
        • comment cyrus-imapd-utils is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110859028
      • AND
        • comment cyrus-imapd-vzic is earlier than 0:3.0.7-15.el8_0.1
          oval oval:com.redhat.rhsa:tst:20191771007
        • comment cyrus-imapd-vzic is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20191771008
rhsa
id RHSA-2019:1771
released 2019-07-15
severity Important
title RHSA-2019:1771: cyrus-imapd security update (Important)
rpms
  • cyrus-imapd-0:3.0.7-15.el8_0.1
  • cyrus-imapd-debuginfo-0:3.0.7-15.el8_0.1
  • cyrus-imapd-debugsource-0:3.0.7-15.el8_0.1
  • cyrus-imapd-utils-0:3.0.7-15.el8_0.1
  • cyrus-imapd-utils-debuginfo-0:3.0.7-15.el8_0.1
  • cyrus-imapd-vzic-0:3.0.7-15.el8_0.1
  • cyrus-imapd-vzic-debuginfo-0:3.0.7-15.el8_0.1
refmap via4
bugtraq 20190609 [SECURITY] [DSA 4458-1] cyrus-imapd security update
debian DSA-4458
fedora
  • FEDORA-2019-309f559057
  • FEDORA-2019-f0435555ac
misc
ubuntu USN-4566-1
Last major update 03-05-2022 - 14:27
Published 03-06-2019 - 20:29
Last modified 03-05-2022 - 14:27
Back to Top