CVE-2019-11356

The CalDAV feature in httpd in Cyrus IMAP 2.5.x through 2.5.12 and 3.0.x through 3.0.9 allows remote attackers to execute arbitrary code via a crafted HTTP PUT operation for an event with a long iCalendar property name.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 94%
VendorProductVersion
cyrusimap
2.5.0 ≤
𝑥
≤ 2.5.12
cyrusimap
3.0.0 ≤
𝑥
≤ 3.0.9
debiandebian_linux
9.0
canonicalubuntu_linux
18.04
redhatenterprise_linux
8.0
redhatenterprise_linux_eus
8.1
redhatenterprise_linux_eus
8.2
redhatenterprise_linux_eus
8.4
redhatenterprise_linux_server_aus
8.2
redhatenterprise_linux_server_aus
8.4
redhatenterprise_linux_server_tus
8.2
redhatenterprise_linux_server_tus
8.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cyrus-imapd
bullseye
3.2.6-2+deb11u2
fixed
bookworm
3.6.1-4+deb12u3
fixed
bookworm (security)
3.6.1-4+deb12u2
fixed
sid
3.10.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cyrus-imapd
groovy
Fixed 3.0.8-6
released
focal
Fixed 3.0.8-6
released
eoan
Fixed 3.0.8-6
released
disco
ignored
cosmic
ignored
bionic
Fixed 2.5.10-3ubuntu1.1
released
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2019:1771
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGO43JS7IFDNITHXOOHOP6JHRKRDIYY6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PICSZDC3UGEUZ27VXGGM6OFI67D3KKLZ/
https://seclists.org/bugtraq/2019/Jun/9
https://usn.ubuntu.com/4566-1/
https://www.cyrusimap.org/imap/download/release-notes/2.5/index.html
https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.13.html
https://www.cyrusimap.org/imap/download/release-notes/3.0/index.html
https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.10.html
https://www.debian.org/security/2019/dsa-4458
https://access.redhat.com/errata/RHSA-2019:1771
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGO43JS7IFDNITHXOOHOP6JHRKRDIYY6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PICSZDC3UGEUZ27VXGGM6OFI67D3KKLZ/
https://seclists.org/bugtraq/2019/Jun/9
https://usn.ubuntu.com/4566-1/
https://www.cyrusimap.org/imap/download/release-notes/2.5/index.html
https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.13.html
https://www.cyrusimap.org/imap/download/release-notes/3.0/index.html
https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.10.html
https://www.debian.org/security/2019/dsa-4458