CVE-2018-19518

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 25-11-2018 11:29

Last modified: - 18-04-2022 08:12

Total changes: - 5

Description

University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

High

Attack complexity

Network

Attack vector

High

Availability

High

Confidentiality

High

Integrity

Low

Privileges required

Unchanged

Scope

None

User interaction

7.5

Base score

1.6

5.9

Exploitability score

Impact score

Verification logic

vendor=php AND product=php AND versionEndIncluding=7.2.12 AND versionStartIncluding=7.2.0

vendor=php AND product=php AND versionEndIncluding=7.0.32 AND versionStartIncluding=7.0.0

vendor=php AND product=php AND versionEndIncluding=7.1.24 AND versionStartIncluding=7.1.0

vendor=php AND product=php AND versionEndIncluding=5.6.38 AND versionStartIncluding=5.6.0

vendor=Debian AND product=debian_linux AND version=8.0

vendor=Debian AND product=debian_linux AND version=9.0

vendor=uw-imap_project AND product=uw-imap AND version=2007f

vendor=canonical AND product=ubuntu_linux AND version=16.04 AND software_edition=esm

vendor=canonical AND product=ubuntu_linux AND version=18.04 AND software_edition=lts

vendor=canonical AND product=ubuntu_linux AND version=19.04

Reference

https://www.openwall.com/lists/oss-security/2018/11/22/3
https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php
https://bugs.php.net/bug.php?id=77160
https://bugs.php.net/bug.php?id=77153
https://bugs.php.net/bug.php?id=76428
https://bugs.debian.org/913836
https://bugs.debian.org/913835
https://bugs.debian.org/913775
https://antichat.com/threads/463395/#post-4254681
1042157-Broken Link
106018-Broken Link
https://git.php.net/?p=php-src.git;a=commit;h=e5bfea64c81ae34816479bb05d17cdffe45adddb
45914-Exploit, Third Party Advisory, VDB Entry
DSA-4353-Third Party Advisory
[debian-lts-announce] 20181217 [SECURITY] [DLA 1608-1] php5 security update-Mailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20181221-0004/
[debian-lts-announce] 20190301 [SECURITY] [DLA 1700-1] uw-imap security update-Mailing List, Third Party Advisory
USN-4160-1-Third Party Advisory
GLSA-202003-57-Third Party Advisory
[debian-lts-announce] 20211229 [SECURITY] [DLA 2866-1] uw-imap security update-Mailing List, Third Party Advisory

Keywords

CVE-2018-19518

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2018-19518

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures