CVE-2019-19783 — MEDIUM (6.5)

Q: How severe is CVE-2019-19783?

CVE-2019-19783 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-19783?

Check the references section above for vendor advisories and patch information. Affected products include: Cyrus Imap, Debian Debian Linux, Fedoraproject Fedora, Canonical Ubuntu Linux.

Vulnerability Description

An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Cyrus	Imap	>= 2.5.0, < 2.5.15
Debian	Debian Linux	9.0
Fedoraproject	Fedora	30
Canonical	Ubuntu Linux	18.04

Related Weaknesses (CWE)

CWE-269

References

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://seclists.org/bugtraq/2019/Dec/38Mailing ListThird Party Advisory
https://security.gentoo.org/glsa/202006-23Third Party Advisory
https://usn.ubuntu.com/4566-1/Third Party Advisory
https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.htmlPatchRelease NotesVendor Advisory
https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.htmlPatchRelease NotesVendor Advisory
https://www.debian.org/security/2019/dsa-4590Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://seclists.org/bugtraq/2019/Dec/38Mailing ListThird Party Advisory
https://security.gentoo.org/glsa/202006-23Third Party Advisory
https://usn.ubuntu.com/4566-1/Third Party Advisory
https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.htmlPatchRelease NotesVendor Advisory
https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.htmlPatchRelease NotesVendor Advisory

FAQ

What is CVE-2019-19783?

CVE-2019-19783 is a vulnerability with a CVSS score of 6.5 (MEDIUM). An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a ...

How severe is CVE-2019-19783?

CVE-2019-19783 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-19783?

Check the references section above for vendor advisories and patch information. Affected products include: Cyrus Imap, Debian Debian Linux, Fedoraproject Fedora, Canonical Ubuntu Linux.