An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c. References: https://seclists.org/bugtraq/2019/Dec/38 https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html
Created cyrus-imapd tracking bugs for this issue: Affects: fedora-all [bug 1786757]
Analysis: Sieve scripts allow creation custom mail boxes when "fileinto" directives are used. If a user is not allowed to create a new mail box but is allowed to upload a custom sieve script, then this flaw can be used to bypass this restriction. Since admin privs are used when new mailbox creation is triggerred via the fileinto directive. lmtpd no longer creates these mailboxes as administrator, so users may no longer use a ‘fileinto’ directive to create a mailbox they couldn’t create otherwise. Upstream patch: https://github.com/cyrusimap/cyrus-imapd/commit/673ebd96e2efbb8895d08648983377262f35b3f7
Mitigation: This flaw can be mitigated by: 1. In cyrus-imapd >= 2.5 disable anysievefolder (it is disabled by default) 2. In cyrus-imapd >=3.0 disable sieve_extensions
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19783
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4655 https://access.redhat.com/errata/RHSA-2020:4655