CVE-2019-19783

An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Potential Mitigations

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/122.html
• https://cwe.mitre.org/data/definitions/233.html
• https://cwe.mitre.org/data/definitions/58.html

References

• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DIV4HQ6LG5GPRO4B5Z2NHCZUPBUVVVF/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IGOO5UGEBBDPN7B2YXLK7I7L3Y35EBA/
• https://seclists.org/bugtraq/2019/Dec/38
• https://security.gentoo.org/glsa/202006-23
• https://usn.ubuntu.com/4566-1/
• https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html
• https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html
• https://www.debian.org/security/2019/dsa-4590
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DIV4HQ6LG5GPRO4B5Z2NHCZUPBUVVVF/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IGOO5UGEBBDPN7B2YXLK7I7L3Y35EBA/
• https://seclists.org/bugtraq/2019/Dec/38
• https://security.gentoo.org/glsa/202006-23
• https://usn.ubuntu.com/4566-1/
• https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html
• https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html
• https://www.debian.org/security/2019/dsa-4590