Bug 1786756 (CVE-2019-19783) - CVE-2019-19783 cyrus-imapd: lmtpd component created mailboxes with administrator privileges if the "fileinto" was used, bypassing ACL checks
Summary: CVE-2019-19783 cyrus-imapd: lmtpd component created mailboxes with administra...
Alias: CVE-2019-19783
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1786757 1804047 1804048
Blocks: 1786758
TreeView+ depends on / blocked
Reported: 2019-12-27 17:46 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-16 20:49 UTC (History)
6 users (show)

Fixed In Version: cyrus-imapd 2.5.14, cyrus-imapd 3.0.12
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-11-04 02:23:56 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4655 0 None None None 2020-11-04 02:42:58 UTC

Description Guilherme de Almeida Suckevicz 2019-12-27 17:46:41 UTC
An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c.


Comment 1 Guilherme de Almeida Suckevicz 2019-12-27 17:48:27 UTC
Created cyrus-imapd tracking bugs for this issue:

Affects: fedora-all [bug 1786757]

Comment 2 Huzaifa S. Sidhpurwala 2020-02-18 05:34:41 UTC

Sieve scripts allow creation custom mail boxes when "fileinto" directives are used. If a user is not allowed to create a new mail box but is allowed to upload a custom sieve script, then this flaw can be used to bypass this restriction. Since admin privs are used when new mailbox creation is triggerred via the fileinto directive.

lmtpd no longer creates these mailboxes as administrator, so users may no longer use a ‘fileinto’ directive to create a mailbox they couldn’t create otherwise.

Upstream patch: https://github.com/cyrusimap/cyrus-imapd/commit/673ebd96e2efbb8895d08648983377262f35b3f7

Comment 3 Huzaifa S. Sidhpurwala 2020-02-18 05:34:44 UTC

This flaw can be mitigated by:
1. In cyrus-imapd >= 2.5 disable anysievefolder (it is disabled by default)
2. In cyrus-imapd >=3.0 disable sieve_extensions

Comment 5 Product Security DevOps Team 2020-11-04 02:23:56 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 6 errata-xmlrpc 2020-11-04 02:42:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4655 https://access.redhat.com/errata/RHSA-2020:4655

Note You need to log in before you can comment on or make changes to this bug.