A vulnerability was found in Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection. Reference: https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.14.html https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.12.html
Created cyrus-imapd tracking bugs for this issue: Affects: fedora-all [bug 1775179]
External References: https://github.com/cyrusimap/cyrus-imapd/issues/2904
Statement: If HTTP is enabled (e.g. RSS, CalDAV), cyrus-imapd does not properly authenticate a HTTP request coming through a connection that has been previously authenticated. Usually, this is not a problem, as each user will have their own connection and a breach of security boundaries would not be possible. An exception to this rule is if the cyrus-imapd HTTP service is behind a proxy, for example a reverse caching proxy, and said proxy reuses the same connection to cyrus-imapd for multiple requests.
Patch: https://github.com/cyrusimap/cyrus-imapd/commit/602f12ed2af0a49ac4a58affbfea57d0fc23dea5 https://github.com/cyrusimap/cyrus-imapd/commit/6703ff881b6056e0c045a7b795ce8ba1bbb87027
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-18928
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4655 https://access.redhat.com/errata/RHSA-2020:4655