{"api_version":"1","generated_at":"2026-04-23T04:33:10+00:00","cve":"CVE-2019-18928","urls":{"html":"https://cve.report/CVE-2019-18928","api":"https://cve.report/api/cve/CVE-2019-18928.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-18928","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-18928"},"summary":{"title":"CVE-2019-18928","description":"Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2019-11-15 04:15:00","updated_at":"2023-11-07 03:07:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LAGKPZDXQ6KRUGQVRAO6N4PCINP6KS5F/","name":"FEDORA-2019-03be160f9c","refsource":"","tags":[],"title":"[SECURITY] Fedora 31 Update: cyrus-imapd-3.0.12-1.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHV3TUU53WCKJ3BBRK2EHAF44MSZEFK6/","name":"FEDORA-2019-393e1cef4d","refsource":"","tags":[],"title":"[SECURITY] Fedora 30 Update: cyrus-imapd-3.0.12-1.fc30 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2022/06/msg00013.html","name":"[debian-lts-announce] 20220619 [SECURITY] [DLA 3052-1] cyrus-imapd security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3052-1] cyrus-imapd security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PHV3TUU53WCKJ3BBRK2EHAF44MSZEFK6/","name":"FEDORA-2019-393e1cef4d","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 30 Update: cyrus-imapd-3.0.12-1.fc30 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.12.html","name":"https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.12.html","refsource":"MISC","tags":["Patch","Release Notes","Third Party Advisory"],"title":"Cyrus IMAP 3.0.12 Release Notes — Cyrus IMAP 3.0.13 (stable) documentation","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LAGKPZDXQ6KRUGQVRAO6N4PCINP6KS5F/","name":"FEDORA-2019-03be160f9c","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 31 Update: cyrus-imapd-3.0.12-1.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.14.html","name":"https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.14.html","refsource":"MISC","tags":["Patch","Release Notes","Third Party Advisory"],"title":"Cyrus IMAP 2.5.14 Release Notes — Cyrus IMAP 3.0.13 (stable) documentation","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-18928","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-18928","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"18928","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"cyrus","cpe5":"imap","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18928","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"cyrus","cpe5":"imap","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18928","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18928","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"30","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18928","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"31","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-18928","qid":"179376","title":"Debian Security Update for cyrus-imapd (DLA 3052-1)"},{"cve":"CVE-2019-18928","qid":"377093","title":"Alibaba Cloud Linux Security Update for cyrus-imapd (ALINUX3-SA-2021:0067)"},{"cve":"CVE-2019-18928","qid":"940293","title":"AlmaLinux Security Update for cyrus-imapd (ALSA-2020:4655)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2019-18928","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.12.html","url":"https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.12.html"},{"refsource":"MISC","name":"https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.14.html","url":"https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.14.html"},{"refsource":"FEDORA","name":"FEDORA-2019-393e1cef4d","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PHV3TUU53WCKJ3BBRK2EHAF44MSZEFK6/"},{"refsource":"FEDORA","name":"FEDORA-2019-03be160f9c","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LAGKPZDXQ6KRUGQVRAO6N4PCINP6KS5F/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20220619 [SECURITY] [DLA 3052-1] cyrus-imapd security update","url":"https://lists.debian.org/debian-lts-announce/2022/06/msg00013.html"}]}},"nvd":{"publishedDate":"2019-11-15 04:15:00","lastModifiedDate":"2023-11-07 03:07:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:cyrus:imap:*:*:*:*:*:*:*:*","versionStartIncluding":"2.5.0","versionEndExcluding":"2.5.14","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:cyrus:imap:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.0.12","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"18928","Ordinal":"160494","Title":"CVE-2019-18928","CVE":"CVE-2019-18928","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"18928","Ordinal":"1","NoteData":"Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"18928","Ordinal":"2","NoteData":"2019-11-14","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"18928","Ordinal":"3","NoteData":"2019-12-04","Type":"Other","Title":"Modified"}]}}}