VDB
CVE-2011-1926
CVE-2011-1926
PUBLISHED
CVSS 5.099999904632568 MEDIUM
The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
EPSS 4.87% · 89.8th percentile
Risk Scores
CVSS 2.0
5.099999904632568
EPSS Score
4.87%
89.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| cmu | cyrus_imap_server | 2.3.13, 0, 2.0.17 |
| n/a | n/a | n/a |
Timeline
- May 23, 2011 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 9, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 2, 2023 EPSS Score
- Jul 17, 2023 EPSS Score
- Sep 7, 2023 EPSS Score
References
- RHSA-2011:0859 vendor-advisory
- FEDORA-2011-7217 vendor-advisory
- DSA-2258 vendor-advisory
- http://www.cyrusimap.org/docs/cyrus-imapd/2.4.7/changes.php url
- MDVSA-2011:100 vendor-advisory
- FEDORA-2011-7193 vendor-advisory
- 1025625 vdb
- http://bugzilla.cyrusimap.org/show_bug.cgi?id=3423 url
- DSA-2242 vendor-advisory
- 44876 third-party-advisory
- [oss-security] 20110517 CVE Request -- Cyrus-IMAP STARTTLS issue -- [was: Re: pure-ftpd STARTTLS command injection / new CVE?] mailing-list
- VU#555316 third-party-advisory
- 44928 third-party-advisory
- 44913 third-party-advisory
- http://bugzilla.cyrusimap.org/show_bug.cgi?id=3424 url
- 44670 third-party-advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=705288 url
- cyrus-starttls-command-exec(67867) vdb
- http://git.cyrusimap.org/cyrus-imapd/patch/?id=523a91a5e86c8b9a27a138f04a3e3f2d8786f162 url
- [oss-security] 20110517 Re: CVE Request -- Cyrus-IMAP STARTTLS issue -- [was: Re: pure-ftpd STARTTLS command injection / new CVE?] mailing-list
…and 1 more