CVE-2018-19518

University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.
Argument Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Affected Products (NVD)
VendorProductVersion
phpphp
5.6.0 ≤
𝑥
≤ 5.6.38
phpphp
7.0.0 ≤
𝑥
≤ 7.0.32
phpphp
7.1.0 ≤
𝑥
≤ 7.1.24
phpphp
7.2.0 ≤
𝑥
≤ 7.2.12
debiandebian_linux
8.0
debiandebian_linux
9.0
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
19.04
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
uw-imap
bookworm
8:2007f~dfsg-7
fixed
bullseye
8:2007f~dfsg-7
fixed
sid
8:2007f~dfsg-7
fixed
trixie
8:2007f~dfsg-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
php-imap
bionic
dne
cosmic
dne
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
trusty
Fixed 5.4.6-0ubuntu5.1
released
xenial
dne
php5
bionic
dne
cosmic
dne
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
trusty
not-affected
xenial
dne
php7.0
bionic
dne
cosmic
dne
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
trusty
dne
xenial
Fixed 7.0.33-0ubuntu0.16.04.1
released
php7.2
bionic
Fixed 7.2.15-0ubuntu0.18.04.1
released
cosmic
Fixed 7.2.15-0ubuntu0.18.20.1
released
disco
Fixed 7.2.15-0ubuntu2
released
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
trusty
dne
xenial
dne
php7.3
bionic
dne
cosmic
dne
disco
dne
eoan
not-affected
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
trusty
dne
xenial
dne
uw-imap
bionic
Fixed 8:2007f~dfsg-5ubuntu0.18.04.2
released
cosmic
ignored
disco
Fixed 8:2007f~dfsg-5ubuntu0.19.04.2
released
eoan
not-affected
focal
not-affected
groovy
not-affected
hirsute
not-affected
impish
not-affected
jammy
not-affected
trusty
Fixed 8:2007f~dfsg-2ubuntu0.1~esm1
released
xenial
Fixed 8:2007f~dfsg-4+deb8u1build0.16.04.1
released
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
php56
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-bcmath
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-cli
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-common
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-dba
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-dbg
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-debuginfo
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-devel
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-embedded
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-enchant
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-fpm
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-gd
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-gmp
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-imap
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-intl
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-ldap
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-mbstring
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-mcrypt
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-mssql
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-mysqlnd
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-odbc
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-opcache
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-pdo
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-pgsql
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-process
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-pspell
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-recode
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-snmp
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-soap
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-tidy
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-xml
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php56-xmlrpc
Amazon Linux 1
0:5.6.39-1.141.amzn1
fixed
php70
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-bcmath
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-cli
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-common
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-dba
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-dbg
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-debuginfo
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-devel
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-embedded
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-enchant
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-fpm
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-gd
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-gmp
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-imap
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-intl
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-json
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-ldap
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-mbstring
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-mcrypt
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-mysqlnd
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-odbc
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-opcache
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-pdo
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-pdo-dblib
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-pgsql
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-process
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-pspell
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-recode
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-snmp
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-soap
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-tidy
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-xml
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-xmlrpc
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php70-zip
Amazon Linux 1
0:7.0.33-1.32.amzn1
fixed
php71
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-bcmath
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-cli
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-common
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-dba
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-dbg
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-debuginfo
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-devel
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-embedded
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-enchant
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-fpm
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-gd
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-gmp
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-imap
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-intl
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-json
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-ldap
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-mbstring
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-mcrypt
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-mysqlnd
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-odbc
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-opcache
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-pdo
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-pdo-dblib
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-pgsql
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-process
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-pspell
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-recode
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-snmp
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-soap
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-tidy
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-xml
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php71-xmlrpc
Amazon Linux 1
0:7.1.25-1.35.amzn1
fixed
php72
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-bcmath
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-cli
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-common
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-dba
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-dbg
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-debuginfo
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-devel
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-embedded
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-enchant
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-fpm
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-gd
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-gmp
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-imap
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-intl
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-json
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-ldap
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-mbstring
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-mysqlnd
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-odbc
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-opcache
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-pdo
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-pdo-dblib
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-pgsql
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-process
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-pspell
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-recode
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-snmp
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-soap
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-tidy
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-xml
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
php72-xmlrpc
Amazon Linux 1
0:7.2.13-1.7.amzn1
fixed
References