{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-14T04:06:10", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html"}, {"name": "20191219 [SECURITY] [DSA 4590-1] cyrus-imapd security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Dec/38"}, {"name": "DSA-4590", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2019/dsa-4590"}, {"name": "FEDORA-2019-7938c21723", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DIV4HQ6LG5GPRO4B5Z2NHCZUPBUVVVF/"}, {"name": "FEDORA-2019-ad23a4522d", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IGOO5UGEBBDPN7B2YXLK7I7L3Y35EBA/"}, {"name": "GLSA-202006-23", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202006-23"}, {"name": "USN-4566-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4566-1/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-19783", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html", "refsource": "MISC", "url": "https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html"}, {"name": "https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html", "refsource": "MISC", "url": "https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html"}, {"name": "20191219 [SECURITY] [DSA 4590-1] cyrus-imapd security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Dec/38"}, {"name": "DSA-4590", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4590"}, {"name": "FEDORA-2019-7938c21723", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2DIV4HQ6LG5GPRO4B5Z2NHCZUPBUVVVF/"}, {"name": "FEDORA-2019-ad23a4522d", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6IGOO5UGEBBDPN7B2YXLK7I7L3Y35EBA/"}, {"name": "GLSA-202006-23", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202006-23"}, {"name": "USN-4566-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4566-1/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T02:25:12.659Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html"}, {"name": "20191219 [SECURITY] [DSA 4590-1] cyrus-imapd security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Dec/38"}, {"name": "DSA-4590", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2019/dsa-4590"}, {"name": "FEDORA-2019-7938c21723", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DIV4HQ6LG5GPRO4B5Z2NHCZUPBUVVVF/"}, {"name": "FEDORA-2019-ad23a4522d", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IGOO5UGEBBDPN7B2YXLK7I7L3Y35EBA/"}, {"name": "GLSA-202006-23", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202006-23"}, {"name": "USN-4566-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4566-1/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-19783", "datePublished": "2019-12-16T13:06:54", "dateReserved": "2019-12-13T00:00:00", "dateUpdated": "2024-08-05T02:25:12.659Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cyrus:imap:*:*:*:*:*:*:*:*", "matchCriteriaId": "375632E2-D569-4787-A113-95C061809EC5", "versionEndExcluding": "2.5.15", "versionStartIncluding": "2.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cyrus:imap:*:*:*:*:*:*:*:*", "matchCriteriaId": "5FA80924-6B46-4E05-AE58-B964736AA14C", "versionEndExcluding": "3.0.13", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cyrus:imap:*:*:*:*:*:*:*:*", "matchCriteriaId": "C48D8099-1C24-41D1-941C-2940A2527BA1", "versionEndExcluding": "3.1.8", "versionStartIncluding": "3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Cyrus IMAP versiones anteriores a 2.5.15, versiones 3.0.x antes de 3.0.13 y versiones 3.1.x hasta 3.1.8. Si la carga de script tamizado est\u00e1 permitida (versiones 3.x) o ciertas opciones de tamizado no predeterminadas est\u00e1n habilitadas (versiones 2.x), un usuario con una cuenta de correo en el servicio puede usar un script tamizado que contiene un archivo en la directiva para crear cualquier buz\u00f3n con el administrador privilegios, debido a un manejo inapropiado de la carpeta en la funci\u00f3n autosieve_createfolder() en el archivo imap/lmtp_sieve.c."}], "id": "CVE-2019-19783", "lastModified": "2024-11-21T04:35:22.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-16T14:15:12.257", "references": [{"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DIV4HQ6LG5GPRO4B5Z2NHCZUPBUVVVF/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IGOO5UGEBBDPN7B2YXLK7I7L3Y35EBA/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2019/Dec/38"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202006-23"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4566-1/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Release Notes", "Vendor Advisory"], "url": "https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Release Notes", "Vendor Advisory"], "url": "https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2019/dsa-4590"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DIV4HQ6LG5GPRO4B5Z2NHCZUPBUVVVF/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IGOO5UGEBBDPN7B2YXLK7I7L3Y35EBA/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2019/Dec/38"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202006-23"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4566-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Release Notes", "Vendor Advisory"], "url": "https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Release Notes", "Vendor Advisory"], "url": "https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2019/dsa-4590"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:4655", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "cyrus-imapd-0:3.0.7-19.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-11-04T00:00:00Z"}], "bugzilla": {"description": "cyrus-imapd: lmtpd component created mailboxes with administrator privileges if the \"fileinto\" was used, bypassing ACL checks", "id": "1786756", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1786756"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-287", "details": ["An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c."], "mitigation": {"lang": "en:us", "value": "This flaw can be mitigated by:\n1. In cyrus-imapd >= 2.5 disable anysievefolder (it is disabled by default)\n2. In cyrus-imapd >=3.0 disable sieve_extensions"}, "name": "CVE-2019-19783", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "cyrus-imapd", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "cyrus-imapd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "cyrus-imapd", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2019-12-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-19783\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-19783"], "threat_severity": "Moderate"}