CVE-2018-19518

Advisory lineage Upstream: 0 Downstream: 11
Modified
Published: 25 Nov 2018, 10:00
Last modified:05 Aug 2024, 11:37

Vulnerability Summary

Overall Risk (default)
high
63/100
CVSS Score
8.5 HIGH
v2.0 (nvd)
EPSS Score
93.87% CRITICAL
94% probability -0.09%
KEV
Not listed
Ransomware
No reports
Public exploits
7 found
Dark Web
Not detected

Timeline

25 Nov 2018, 10:00
Published
Vulnerability first disclosed
05 Aug 2024, 11:37
Last Modified
Vulnerability information updated

Description

University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.

CVSS Metrics

  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • v2.0HIGHScore: 8.5AV:N/AC:M/Au:S/C:C/I:C/A:C

EPSS Trends

Current EPSS score: 93.87% Percentile: 100%

Techniques & Countermeasures

  • CWE-88Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

    The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Affected Systems

  • canonicalubuntu_linux

    16.04 | 18.04 | 19.04

  • debiandebian_linux

    8.0 | 9.0

  • UnknownPHP

    ≥ 5.6.0, ≤ 5.6.38 | ≥ 7.0.0, ≤ 7.0.32 | ≥ 7.1.0, ≤ 7.1.24 | ≥ 7.2.0, ≤ 7.2.12

  • uw-imap_projectuw-imap

    2007f

References (20)