4.4 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
10.1%
The Cyrus IMAP server contains a vulnerability that may allow an authenticated attacker to execute code.
The Cyrus IMAP mail server supports the SIEVE mail filtering language. Cyrus IMAP versions 2.2 through 2.3.14 contain a buffer overflow vulnerability that may be triggered by a specially crafted SIEVE script. To install this type of script, the attacker would need to have direct access to a mail account on the server.
An attacker with the ability to install SIEVE scripts may be able to gain elevated privileges and use the new permissions to execute code, read other user’s mail, or send spoofed email messages.
Update
The Cyrus IMAP team has released an update to address this issue. See <http://lists.andrew.cmu.edu/pipermail/cyrus-announce/2009-September/000068.html> for more information.
Disable SIEVE
Administrators who compile Cyrus IMAP from source can use the --disable-sieve
option to mitigate this issue.
336053
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: September 04, 2009 Updated: September 10, 2009
Statement Date: September 09, 2009
Affected
We have not received a statement from the vendor.
<http://www.us.debian.org/security/2009/dsa-1881>
Notified: September 04, 2009 Updated: September 10, 2009
Statement Date: September 10, 2009
Affected
We have not received a statement from the vendor.
All SUSE Linux products are affected by this issue. Fixed packages will be available soon and can be installed via YaST.
Notified: September 04, 2009 Updated: September 08, 2009
Statement Date: September 08, 2009
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 11, 2009
Statement Date: September 09, 2009
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 10, 2009
Statement Date: September 10, 2009
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 10, 2009
Statement Date: September 10, 2009
Unknown
We have not received a statement from the vendor.
Openwall GNU/*/Linux is not affected. We do not ship Cyrus IMAPd.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 04, 2009 Updated: September 05, 2009
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
View all 40 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Thanks to the Cyrus IMAP development team and Bron Gondwana for information that was used in this report.
This document was written by Ryan Giobbi.
CVE IDs: | CVE-2009-2632 |
---|---|
Severity Metric: | 0.56 Date Public: |