CVE-2019-18928

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-18928
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-18928.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-18928
Downstream
Related
Published
2019-11-15T04:15:10.267Z
Modified
2026-05-18T05:50:43.874074797Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.

Database specific 
{
    "unresolved_ranges": [
        {
            "source": "CPE_FIELD",
            "vendor_product": "debian:debian_linux",
            "extracted_events": [
                {
                    "last_affected": "9.0"
                }
            ],
            "cpes": [
                "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "cpes": [
                "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
                "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*"
            ],
            "vendor_product": "fedoraproject:fedora",
            "extracted_events": [
                {
                    "last_affected": "30"
                },
                {
                    "last_affected": "31"
                }
            ],
            "source": "CPE_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/cyrusimap/cyrus-imapd

Affected ranges

Type
GIT
Repo
https://github.com/cyrusimap/cyrus-imapd
Events
Introduced
5549888feb02784120b7ef0c8a26390b83125108
Fixed
8bec158a9339eb6b9c4812b8339cb4d442e543ac
Introduced
65c252b8a3a05c09b3425ce96e1dc6a11dabbe4a
Fixed
1b3505c9d82118535791ac7c66519865f51d02f4
Database specific 
{
    "cpe": "cpe:2.3:a:cyrus:imap:*:*:*:*:*:*:*:*",
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "2.5.0"
        },
        {
            "fixed": "2.5.14"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.0.12"
        }
    ]
}

Affected versions

cyrus-imapd-2.*
cyrus-imapd-2.5.0
cyrus-imapd-2.5.1
cyrus-imapd-2.5.10
cyrus-imapd-2.5.11
cyrus-imapd-2.5.12
cyrus-imapd-2.5.13
cyrus-imapd-2.5.2
cyrus-imapd-2.5.3
cyrus-imapd-2.5.4
cyrus-imapd-2.5.5
cyrus-imapd-2.5.6
cyrus-imapd-2.5.7
cyrus-imapd-2.5.8
cyrus-imapd-2.5.9
cyrus-imapd-3.*
cyrus-imapd-3.0.0
cyrus-imapd-3.0.1
cyrus-imapd-3.0.10
cyrus-imapd-3.0.11
cyrus-imapd-3.0.2
cyrus-imapd-3.0.3
cyrus-imapd-3.0.4
cyrus-imapd-3.0.5
cyrus-imapd-3.0.6
cyrus-imapd-3.0.7
cyrus-imapd-3.0.8
cyrus-imapd-3.0.9

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-18928.json"