CVE-2017-12843

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2017-12843
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-12843.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2017-12843
Published
2017-08-22T14:29:00Z
Modified
2025-10-15T08:45:26.162279Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Cyrus IMAP before 3.0.3 allows remote authenticated users to write to arbitrary files via a crafted (1) SYNCAPPLY, (2) SYNCGET or (3) SYNCRESTORE command.

References

Affected packages

Git / github.com/cyrusimap/cyrus-imapd

Affected ranges

Type
GIT
Repo
https://github.com/cyrusimap/cyrus-imapd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
53c4137bd924b954432c6c59da7572c4c5ffa901
Fixed
5edadcfb83bf27107578830801817f9e6d0ad941

Affected versions

cyrus-imapd-2.*

cyrus-imapd-2.4.0
cyrus-imapd-2.4.1
cyrus-imapd-2.4.2
cyrus-imapd-2.5-snapshot-autoconf-and-automake

cyrus-imapd-3.*

cyrus-imapd-3.0.0
cyrus-imapd-3.0.0-beta1
cyrus-imapd-3.0.0-beta2
cyrus-imapd-3.0.0-beta3
cyrus-imapd-3.0.0-beta4
cyrus-imapd-3.0.0-beta5
cyrus-imapd-3.0.0-beta6
cyrus-imapd-3.0.0-rc1
cyrus-imapd-3.0.0-rc2
cyrus-imapd-3.0.0-rc3
cyrus-imapd-3.0.0-rc4
cyrus-imapd-3.0.1
cyrus-imapd-3.0.2

Other

posttab
pretab

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/cyrusimap/cyrus-imapd/commit/53c4137bd924b954432c6c59da7572c4c5ffa901",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "digest": {
            "function_hash": "219674385116949669689531931084615460613",
            "length": 31769.0
        },
        "id": "CVE-2017-12843-1e9dd47e",
        "target": {
            "file": "imap/imapd.c",
            "function": "cmdloop"
        }
    },
    {
        "source": "https://github.com/cyrusimap/cyrus-imapd/commit/53c4137bd924b954432c6c59da7572c4c5ffa901",
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "161128613383819007586463619634483843151",
                "247646011980684610366732833178382271585",
                "117649494215732086727697220710446517150",
                "25678961534949601427643206566031952390",
                "321879204090622899167320675902942221417",
                "95492214099119843086933575276605995570",
                "40052073482816729274258523037394326858",
                "9415395520730484765121547924204674290",
                "68510313081674407547137399637119008344",
                "113630191945278763666264973165402073917",
                "71622623123100473624602567434342980495",
                "105528104037368304783568870655991787539",
                "188627384149172411541344254574538229807",
                "127144214496107017475562256074299742797",
                "58323221536832303534964024022938136959",
                "265902620788923641370796790665256047362"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2017-12843-8460ba00",
        "target": {
            "file": "imap/imapd.c"
        }
    },
    {
        "source": "https://github.com/cyrusimap/cyrus-imapd/commit/5edadcfb83bf27107578830801817f9e6d0ad941",
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "295552485209809559387918567516293511145",
                "261979249809713859476274311045381448339",
                "323157408804143212518229855208579015065",
                "178275422903867361598737443910390870288",
                "234979729427704345675062428659603511743",
                "149575214822771283851743185746180719919",
                "152905246687527392045936000061229121126",
                "250028031704981336781974230307776458627",
                "168522515657573590009777703836487125217",
                "178988605723110663703880526640644175355",
                "128924283431929782883337105278565343735"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2017-12843-b46bc409",
        "target": {
            "file": "imap/dlist.c"
        }
    },
    {
        "source": "https://github.com/cyrusimap/cyrus-imapd/commit/5edadcfb83bf27107578830801817f9e6d0ad941",
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "digest": {
            "function_hash": "147276937647950069138628309929940399140",
            "length": 578.0
        },
        "id": "CVE-2017-12843-cc44fc72",
        "target": {
            "file": "imap/dlist.c",
            "function": "dlist_reserve_path"
        }
    }
]