CVE-2019-19783

Name of the Vulnerable Software and Affected Versions Cyrus IMAP versions prior to 2.5.15 Cyrus IMAP versions 3.0.x prior to 3.0.13 Cyrus IMAP versions 3.1.x through 3.1.8

Description The issue is related to a lack of input validation mechanism in the Cyrus IMAP server, which can be exploited by a remote attacker to impact the integrity of information. If sieve script uploading is allowed or certain non-default sieve options are enabled, a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges due to folder mishandling in the autosieve createfolder() function.

Recommendations For Cyrus IMAP versions prior to 2.5.15, update to version 2.5.15 or later. For Cyrus IMAP versions 3.0.x prior to 3.0.13, update to version 3.0.13 or later. For Cyrus IMAP versions 3.1.x through 3.1.8, update to a version later than 3.1.8. As a temporary workaround, consider disabling sieve script uploading or restricting the use of non-default sieve options until a patch is available.