Vulnerability Note VU#740169
Cyrus IMAP Server contains a buffer overflow vulnerability
A buffer overflow vulnerability exists in versions of Cyrus IMAP Server up to and including 2.1.10. This vulnerability may allow a remote attacker to execute arbitrary code on the mail server with the privileges of the Cyrus IMAP Server.
Cyrus IMAP Server is an e-mail application that uses the Internet Message Access Protocol (lMAP). Versions prior to 2.1.10 and 2.0.16 contain a buffer overflow vulnerability that may be exploited prior to authentication to the IMAP server. This vulnerability may allow a remote attacker to execute arbitrary code on the mail server with the privileges of the Cyrus IMAP Server. Exploitation of this vulnerability may also be limited by the implementation of malloc() being used on the system.
A remote attacker can execute arbitrary code on the system with the privileges of the Cyrus IMAP Server. This is not typically root, but may lead to the ability to read all mail on the system.
This issue is resolved in version 2.1.11 and 2.0.17.
Version 1.x is not supported and there are no plans for any new releases for this series. Users are urged to upgrade to 2.0.17 or 2.1.11.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Cyrus||Affected||03 Dec 2002||03 Dec 2002|
CVSS Metrics (Learn More)
This vulnerability was discovered by Timo Sirainen.
This document was written by Jason A Rafail.
- CVE IDs: Unknown
- Date Public: 03 Dec 2002
- Date First Published: 03 Dec 2002
- Date Last Updated: 05 Dec 2002
- Severity Metric: 11.39
- Document Revision: 10
If you have feedback, comments, or additional information about this vulnerability, please send us email.