CVE-2019-11356

CRITICAL

Cyrus IMAP 2.5.0-2.5.12 - Remote Code Execution via CalDAV iCalendar Property Name

Title source: llm
STIX 2.1

Description

The CalDAV feature in httpd in Cyrus IMAP 2.5.x through 2.5.12 and 3.0.x through 3.0.9 allows remote attackers to execute arbitrary code via a crafted HTTP PUT operation for an event with a long iCalendar property name.

References (10)

Core 10
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://www.cyrusimap.org/imap/download/release-notes/2.5/index.html
Release Notes, Vendor Advisory x_refsource_misc
https://www.cyrusimap.org/imap/download/release-notes/3.0/index.html
Release Notes, Vendor Advisory x_refsource_misc
https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.13.html
Release Notes, Vendor Advisory x_refsource_misc
https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.10.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2019/dsa-4458
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Jun/9
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1771
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4566-1/

Scores

CVSS v3 9.8
EPSS 0.2825
EPSS Percentile 96.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-787
Status published
Products (13)
canonical/ubuntu_linux 18.04
cyrus/imap 2.5.0 - 2.5.12
debian/debian_linux 9.0
fedoraproject/fedora 29
fedoraproject/fedora 30
redhat/enterprise_linux 8.0
redhat/enterprise_linux_eus 8.1
redhat/enterprise_linux_eus 8.2
redhat/enterprise_linux_eus 8.4
redhat/enterprise_linux_server_aus 8.2
... and 3 more
Published Jun 03, 2019
Tracked Since Feb 18, 2026