CVE-2019-11356
Description
The CalDAV feature in httpd in Cyrus IMAP 2.5.x through 2.5.12 and 3.0.x through 3.0.9 allows remote attackers to execute arbitrary code via a crafted HTTP PUT operation for an event with a long iCalendar property name.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buffer overrun in Cyrus IMAP's httpd CalDAV feature allows remote attackers to execute arbitrary code via a crafted HTTP PUT with a long iCalendar property name.
Vulnerability
The CalDAV feature in the httpd component of Cyrus IMAP versions 2.5.x through 2.5.12 and 3.0.x through 3.0.9 contains a buffer overrun vulnerability. A remote attacker can trigger this issue by sending a crafted HTTP PUT operation for an event that includes a long iCalendar property name. The affected versions are explicitly named in the advisory [1][2].
Exploitation
An attacker must have network access to the Cyrus IMAP server and the ability to send HTTP PUT requests to the CalDAV endpoint. No prior authentication is required, as the vulnerability can be triggered during the processing of the iCalendar property name before any access controls are applied. The attacker crafts a PUT request containing an excessively long iCalendar property name, which overruns a fixed-size buffer in the httpd process.
Impact
Successful exploitation allows the attacker to execute arbitrary code on the server. This leads to a full compromise of the Cyrus IMAP service, including potential disclosure or modification of all mail and calendar data stored on the server, and the ability to pivot to other systems in the network. The impact is rated as critical based on the CVSS score.
Mitigation
The vulnerability is fixed in Cyrus IMAP version 3.0.10 [2]. Users of the affected 2.5.x series should upgrade to version 2.5.13 or later [3]. Distributions such as Red Hat Enterprise Linux 8 have released updated packages (cyrus-imapd-3.0.7-15.el8_0.1) as part of RHSA-2019:1771 [1]. No workaround is available; upgrading to a patched version is the only recommended mitigation.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Cyrus/IMAPdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- access.redhat.com/errata/RHSA-2019:1771mitrevendor-advisoryx_refsource_REDHAT
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGO43JS7IFDNITHXOOHOP6JHRKRDIYY6/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PICSZDC3UGEUZ27VXGGM6OFI67D3KKLZ/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/4566-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2019/dsa-4458mitrevendor-advisoryx_refsource_DEBIAN
- seclists.org/bugtraq/2019/Jun/9mitremailing-listx_refsource_BUGTRAQ
- www.cyrusimap.org/imap/download/release-notes/2.5/index.htmlmitrex_refsource_MISC
- www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.13.htmlmitrex_refsource_MISC
- www.cyrusimap.org/imap/download/release-notes/3.0/index.htmlmitrex_refsource_MISC
- www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.10.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.