CVE-2019-18928
cyrus-imapd - security update
9.8
CRITICAL
CVSS 3.1
EPSS 0.39%
Description
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.
How to fix CVE-2019-18928
To remediate CVE-2019-18928, upgrade the affected package to a fixed version below.
- Debian/cyrus-imapd—upgrade to 3.0.12-1 or later
- —upgrade to 2.5.10-3+deb9u3 or later
Is CVE-2019-18928 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 3.0.12-1
- from 0, < 2.5.10-3+deb9u3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |