CVE-2019-18928

Publication date 15 November 2019

Last updated 25 August 2025

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

9.8 · Critical

Score breakdown

Description

Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.

Status

Package Ubuntu Release Status
cyrus-imapd 24.10 oracular
Fixed 3.0.12-1
24.04 LTS noble
Fixed 3.0.12-1
23.10 mantic
Fixed 3.0.12-1
23.04 lunar
Fixed 3.0.12-1
22.10 kinetic
Fixed 3.0.12-1
22.04 LTS jammy
Fixed 3.0.12-1
21.10 impish
Fixed 3.0.12-1
21.04 hirsute
Fixed 3.0.12-1
20.10 groovy
Fixed 3.0.12-1
20.04 LTS focal
Fixed 3.0.12-1
19.10 eoan Ignored end of life
19.04 disco Ignored end of life
18.04 LTS bionic
Fixed 2.5.10-3ubuntu1.1+esm1
16.04 LTS xenial Not in release
14.04 LTS trusty Not in release

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
cyrus-imapd

Severity score breakdown

CVSS version: CVSS v3.0

Base score 9.8 · Critical

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

    • USN-7224-1
    • Cyrus IMAP Server vulnerabilities
    • 22 January 2025

Other references

Access our resources on patching vulnerabilities