Unrated severityNVD Advisory· Published May 23, 2011· Updated Apr 29, 2026
CVE-2011-1926
CVE-2011-1926
Description
The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Affected products
35cpe:2.3:a:cmu:cyrus_imap_server:*:*:*:*:*:*:*:*+ 34 more
- cpe:2.3:a:cmu:cyrus_imap_server:*:*:*:*:*:*:*:*range: <=2.4.6
- cpe:2.3:a:cmu:cyrus_imap_server:2.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.1.17:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.1.18:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.2.13p1:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.3.12:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.3.13:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.3.14:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.3.15:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.3.16:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:cmu:cyrus_imap_server:2.4.5:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
19- bugzilla.cyrusimap.org/show_bug.cginvdPatch
- bugzilla.cyrusimap.org/show_bug.cginvdPatch
- openwall.com/lists/oss-security/2011/05/17/15nvdPatch
- openwall.com/lists/oss-security/2011/05/17/2nvdPatch
- bugzilla.redhat.com/show_bug.cginvdPatch
- www.kb.cert.org/vuls/id/555316nvdUS Government Resource
- lists.fedoraproject.org/pipermail/package-announce/2011-June/061374.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2011-June/061415.htmlnvd
- secunia.com/advisories/44670nvd
- secunia.com/advisories/44876nvd
- secunia.com/advisories/44913nvd
- secunia.com/advisories/44928nvd
- www.cyrusimap.org/docs/cyrus-imapd/2.4.7/changes.phpnvd
- www.debian.org/security/2011/dsa-2242nvd
- www.debian.org/security/2011/dsa-2258nvd
- www.mandriva.com/security/advisoriesnvd
- www.redhat.com/support/errata/RHSA-2011-0859.htmlnvd
- www.securitytracker.com/idnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/67867nvd
News mentions
0No linked articles in our index yet.