Cyrus IMAP httpd CalDAV Feature Remote Code Execution Vulnerability

By GIXnews


A vulnerability in the CalDAV feature of Cyrus IMAP could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is due to insufficient bounds checks by the affected software, which could cause a buffer overrun condition in the httpd daemon of the affected software. An attacker could exploit this vulnerability by executing an HTTP PUT operation for an event with a long iCalendar property name that submits malicious input to the targeted system. A successful exploit could allow the attacker to execute arbitrary code, which could be used to conduct further attacks.

The Cyrus Team has confirmed the vulnerability and released software updates.

Security Impact Rating: Critical

CVE: CVE-2019-11356

Source:: Cisco Multivendor Vulnerability Alerts