Overview
A buffer overflow vulnerability exists in versions of Cyrus IMAP Server up to and including 2.1.10. This vulnerability may allow a remote attacker to execute arbitrary code on the mail server with the privileges of the Cyrus IMAP Server.
Description
Cyrus IMAP Server is an e-mail application that uses the Internet Message Access Protocol (lMAP). Versions prior to 2.1.10 and 2.0.16 contain a buffer overflow vulnerability that may be exploited prior to authentication to the IMAP server. This vulnerability may allow a remote attacker to execute arbitrary code on the mail server with the privileges of the Cyrus IMAP Server. Exploitation of this vulnerability may also be limited by the implementation of malloc() being used on the system. |
Impact
A remote attacker can execute arbitrary code on the system with the privileges of the Cyrus IMAP Server. This is not typically root, but may lead to the ability to read all mail on the system. |
Solution
This issue is resolved in version 2.1.11 and 2.0.17. Version 1.x is not supported and there are no plans for any new releases for this series. Users are urged to upgrade to 2.0.17 or 2.1.11. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was discovered by Timo Sirainen.
This document was written by Jason A Rafail.
Other Information
| CVE IDs: | None |
| Severity Metric: | 11.39 |
| Date Public: | 2002-12-03 |
| Date First Published: | 2002-12-03 |
| Date Last Updated: | 2002-12-05 19:31 UTC |
| Document Revision: | 11 |