Veracode Vulnerability DatabaseVERACODE:23863Arbitrary Code Execution
4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
cyrus-imapd is vulnerable to arbitrary code execution. The vulnerability exists as an authenticated user able to create Sieve mail filtering rules could use these flaws to execute arbitrary code with the privileges of the Cyrus IMAP server user.
References
dovecot.org/list/dovecot-news/2009-September/000135.html
lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
secunia.com/advisories/36629
secunia.com/advisories/36632
secunia.com/advisories/36698
secunia.com/advisories/36713
secunia.com/advisories/36904
support.apple.com/kb/HT4077
www.debian.org/security/2009/dsa-1881
www.openwall.com/lists/oss-security/2009/09/14/3
www.osvdb.org/58103
www.redhat.com/security/updates/classification/#important
www.securityfocus.com/bid/36296
www.securityfocus.com/bid/36377
www.ubuntu.com/usn/USN-838-1
www.vupen.com/english/advisories/2009/2559
www.vupen.com/english/advisories/2009/2641
access.redhat.com/errata/RHSA-2009:1459
bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.62&r2=1.62.2.1&only_with_tag=cyrus-imapd-2_2-tail
lists.andrew.cmu.edu/pipermail/cyrus-cvs/2009-September/001253.html
lists.andrew.cmu.edu/pipermail/cyrus-cvs/2009-September/001254.html
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10082
www.redhat.com/archives/fedora-package-announce/2009-September/msg00491.html
Related
4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P