CVE-2017-12843
MEDIUMCyrus IMAP < 3.0.3 - Authenticated Arbitrary File Write via SYNCAPPLY, SYNCGET, or SYNCRESTORE Command
Title source: llmDescription
Cyrus IMAP before 3.0.3 allows remote authenticated users to write to arbitrary files via a crafted (1) SYNCAPPLY, (2) SYNCGET or (3) SYNCRESTORE command.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/cyrusimap/cyrus-imapd/commit/5edadcfb83bf27107578830801817f9e6d0ad941
Release Notes, Vendor Advisory x_refsource_confirm
https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.3.html
Third Party Advisory x_refsource_confirm
https://github.com/cyrusimap/cyrus-imapd/commit/53c4137bd924b954432c6c59da7572c4c5ffa901
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6M32R5QPCCNT57BVH3NPV5WVJFSTDP7Q/
Scores
CVSS v3
6.5
EPSS
0.0123
EPSS Percentile
65.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-20
Status
published
Products (2)
cyrusimap/cyrus_imap
< 3.0.2
fedoraproject/fedora
26
Published
Aug 22, 2017
Tracked Since
Feb 18, 2026