8.5
CVE-2018-19518
- EPSS 95.23%
- Veröffentlicht 25.11.2018 10:29:00
- Zuletzt bearbeitet 21.11.2024 03:58:04
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Debian ≫ Debian Linux Version8.0
Debian ≫ Debian Linux Version9.0
Uw-imap Project ≫ Uw-imap Version2007f
Canonical ≫ Ubuntu Linux Version16.04 SwEditionesm
Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts
Canonical ≫ Ubuntu Linux Version19.04
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 95.23% | 0.999 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 1.6 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 8.5 | 6.8 | 10 |
AV:N/AC:M/Au:S/C:C/I:C/A:C
|
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
https://www.debian.org/security/2018/dsa-4353
http://www.securityfocus.com/bid/106018
http://www.securitytracker.com/id/1042157
https://antichat.com/threads/463395/#post-4254681
https://bugs.debian.org/913775
https://bugs.debian.org/913835
https://bugs.debian.org/913836
https://bugs.php.net/bug.php?id=76428
https://bugs.php.net/bug.php?id=77153
https://bugs.php.net/bug.php?id=77160
https://git.php.net/?p=php-src.git%3Ba=commit%3Bh=e5bfea64c81ae34816479bb05d17cdffe45adddb
https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php
https://lists.debian.org/debian-lts-announce/2018/12/msg00006.html
https://lists.debian.org/debian-lts-announce/2019/03/msg00001.html
https://lists.debian.org/debian-lts-announce/2021/12/msg00031.html
https://security.gentoo.org/glsa/202003-57
https://security.netapp.com/advisory/ntap-20181221-0004/
https://usn.ubuntu.com/4160-1/
https://www.exploit-db.com/exploits/45914/
https://www.openwall.com/lists/oss-security/2018/11/22/3