CVE-2021-32056
MEDIUMCyrus IMAP < 3.2.7 and 3.3.x-3.4.x < 3.4.1 - Authenticated Access Control Bypass via Server Annotations
Title source: llmDescription
Cyrus IMAP before 3.2.7, and 3.3.x and 3.4.x before 3.4.1, allows remote authenticated users to bypass intended access restrictions on server annotations and consequently cause replication to stall.
References (6)
Core 6
Core References
Patch, Release Notes, Vendor Advisory x_refsource_confirm
https://cyrus.topicbox.com/groups/announce/T056901c106ecfce3/cyrus-imap-3-4-1-released
Patch, Release Notes, Vendor Advisory x_refsource_confirm
https://cyrus.topicbox.com/groups/announce/T126392718bc29d6b/cyrus-imap-3-2-7-released
Patch, Release Notes, Vendor Advisory x_refsource_confirm
https://www.cyrusimap.org/imap/download/release-notes/3.4/x/3.4.1.html
Patch, Release Notes, Vendor Advisory x_refsource_confirm
https://www.cyrusimap.org/imap/download/release-notes/3.2/x/3.2.7.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WJZB45QBUN7CZFGOWCZYUYACNBTX7LVS/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HEO3RURJW6NLIXS7NK5PVU6MGHC4SCM/
Scores
CVSS v3
4.3
EPSS
0.0170
EPSS Percentile
74.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Details
CWE
CWE-732
Status
published
Products (3)
cyrus/imap
< 3.2.7
fedoraproject/fedora
34
fedoraproject/fedora
35
Published
May 10, 2021
Tracked Since
Feb 18, 2026