rpm package
opensuse/cyrus-imapd&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/cyrus-imapd&distro=openSUSE%20Tumbleweed
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-49812 | — | < 3.8.6-1.1 | 3.8.6-1.1 | Jul 10, 2025 | In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. | ||
| CVE-2025-23394 | Cri | 9.8 | < 3.8.4-2.1 | 3.8.4-2.1 | May 26, 2025 | A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.This issue affects openSUSE Tumbleweed cyrus-imapd before 3.8.4-2.1. | |
| CVE-2024-34055 | — | < 3.8.4-1.1 | 3.8.4-1.1 | Jun 5, 2024 | Cyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows authenticated attackers to cause unbounded memory allocation by sending many LITERALs in a single command. | ||
| CVE-2021-33582 | — | < 2.4.22-2.1 | 2.4.22-2.1 | Sep 1, 2021 | Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3 | ||
| CVE-2019-19783 | — | < 3.8.4-1.1 | 3.8.4-1.1 | Dec 16, 2019 | An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a file | ||
| CVE-2019-18928 | — | < 3.8.4-1.1 | 3.8.4-1.1 | Nov 15, 2019 | Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection. | ||
| CVE-2019-11356 | — | < 3.8.4-1.1 | 3.8.4-1.1 | Jun 3, 2019 | The CalDAV feature in httpd in Cyrus IMAP 2.5.x through 2.5.12 and 3.0.x through 3.0.9 allows remote attackers to execute arbitrary code via a crafted HTTP PUT operation for an event with a long iCalendar property name. | ||
| CVE-2015-8078 | — | < 2.4.18-3.4 | 2.4.18-3.4 | Dec 3, 2015 | Integer overflow in the index_urlfetch function in imap/index.c in Cyrus IMAP 2.3.19, 2.4.18, and 2.5.6 allows remote attackers to have unspecified impact via vectors related to urlfetch range checks and the section_offset variable. NOTE: this vulnerability exists because of an | ||
| CVE-2015-8077 | — | < 2.4.18-3.4 | 2.4.18-3.4 | Dec 3, 2015 | Integer overflow in the index_urlfetch function in imap/index.c in Cyrus IMAP 2.3.19, 2.4.18, and 2.5.6 allows remote attackers to have unspecified impact via vectors related to urlfetch range checks and the start_octet variable. NOTE: this vulnerability exists because of an inc | ||
| CVE-2011-3372 | — | < 2.4.18-3.4 | 2.4.18-3.4 | Dec 24, 2011 | imap/nntpd.c in the NNTP server (nntpd) for Cyrus IMAPd 2.4.x before 2.4.12 allows remote attackers to bypass authentication by sending an AUTHINFO USER command without sending an additional AUTHINFO PASS command. | ||
| CVE-2009-3235 | — | < 2.4.18-3.4 | 2.4.18-3.4 | Sep 17, 2009 | Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SIEVE script, as de |
- CVE-2025-49812Jul 10, 2025affected < 3.8.6-1.1fixed 3.8.6-1.1
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected.
- affected < 3.8.4-2.1fixed 3.8.4-2.1
A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.This issue affects openSUSE Tumbleweed cyrus-imapd before 3.8.4-2.1.
- CVE-2024-34055Jun 5, 2024affected < 3.8.4-1.1fixed 3.8.4-1.1
Cyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows authenticated attackers to cause unbounded memory allocation by sending many LITERALs in a single command.
- CVE-2021-33582Sep 1, 2021affected < 2.4.22-2.1fixed 2.4.22-2.1
Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3
- CVE-2019-19783Dec 16, 2019affected < 3.8.4-1.1fixed 3.8.4-1.1
An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a file
- CVE-2019-18928Nov 15, 2019affected < 3.8.4-1.1fixed 3.8.4-1.1
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.
- CVE-2019-11356Jun 3, 2019affected < 3.8.4-1.1fixed 3.8.4-1.1
The CalDAV feature in httpd in Cyrus IMAP 2.5.x through 2.5.12 and 3.0.x through 3.0.9 allows remote attackers to execute arbitrary code via a crafted HTTP PUT operation for an event with a long iCalendar property name.
- CVE-2015-8078Dec 3, 2015affected < 2.4.18-3.4fixed 2.4.18-3.4
Integer overflow in the index_urlfetch function in imap/index.c in Cyrus IMAP 2.3.19, 2.4.18, and 2.5.6 allows remote attackers to have unspecified impact via vectors related to urlfetch range checks and the section_offset variable. NOTE: this vulnerability exists because of an
- CVE-2015-8077Dec 3, 2015affected < 2.4.18-3.4fixed 2.4.18-3.4
Integer overflow in the index_urlfetch function in imap/index.c in Cyrus IMAP 2.3.19, 2.4.18, and 2.5.6 allows remote attackers to have unspecified impact via vectors related to urlfetch range checks and the start_octet variable. NOTE: this vulnerability exists because of an inc
- CVE-2011-3372Dec 24, 2011affected < 2.4.18-3.4fixed 2.4.18-3.4
imap/nntpd.c in the NNTP server (nntpd) for Cyrus IMAPd 2.4.x before 2.4.12 allows remote attackers to bypass authentication by sending an AUTHINFO USER command without sending an additional AUTHINFO PASS command.
- CVE-2009-3235Sep 17, 2009affected < 2.4.18-3.4fixed 2.4.18-3.4
Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1.0 before 1.0.4 and 1.1 before 1.1.7, as derived from Cyrus libsieve, allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SIEVE script, as de