CVE-2019-19783

{"id": "CVE-2019-19783", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2019-12-16T14:15:12.257", "references": [{"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DIV4HQ6LG5GPRO4B5Z2NHCZUPBUVVVF/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IGOO5UGEBBDPN7B2YXLK7I7L3Y35EBA/", "source": "cve@mitre.org"}, {"url": "https://seclists.org/bugtraq/2019/Dec/38", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.gentoo.org/glsa/202006-23", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://usn.ubuntu.com/4566-1/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html", "tags": ["Patch", "Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html", "tags": ["Patch", "Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.debian.org/security/2019/dsa-4590", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DIV4HQ6LG5GPRO4B5Z2NHCZUPBUVVVF/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IGOO5UGEBBDPN7B2YXLK7I7L3Y35EBA/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://seclists.org/bugtraq/2019/Dec/38", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/202006-23", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://usn.ubuntu.com/4566-1/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html", "tags": ["Patch", "Release Notes", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html", "tags": ["Patch", "Release Notes", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.debian.org/security/2019/dsa-4590", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Cyrus IMAP versiones anteriores a 2.5.15, versiones 3.0.x antes de 3.0.13 y versiones 3.1.x hasta 3.1.8. Si la carga de script tamizado est\u00e1 permitida (versiones 3.x) o ciertas opciones de tamizado no predeterminadas est\u00e1n habilitadas (versiones 2.x), un usuario con una cuenta de correo en el servicio puede usar un script tamizado que contiene un archivo en la directiva para crear cualquier buz\u00f3n con el administrador privilegios, debido a un manejo inapropiado de la carpeta en la funci\u00f3n autosieve_createfolder() en el archivo imap/lmtp_sieve.c."}], "lastModified": "2024-11-21T04:35:22.613", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cyrus:imap:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "375632E2-D569-4787-A113-95C061809EC5", "versionEndExcluding": "2.5.15", "versionStartIncluding": "2.5.0"}, {"criteria": "cpe:2.3:a:cyrus:imap:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5FA80924-6B46-4E05-AE58-B964736AA14C", "versionEndExcluding": "3.0.13", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:cyrus:imap:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C48D8099-1C24-41D1-941C-2940A2527BA1", "versionEndExcluding": "3.1.8", "versionStartIncluding": "3.1.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}