{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-11-25T00:00:00", "descriptions": [{"lang": "en", "value": "University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a \"-oProxyCommand\" argument."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-12-29T18:06:37", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugs.php.net/bug.php?id=77160"}, {"name": "45914", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/45914/"}, {"name": "[debian-lts-announce] 20190301 [SECURITY] [DLA 1700-1] uw-imap security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00001.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20181221-0004/"}, {"name": "1042157", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1042157"}, {"name": "DSA-4353", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4353"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.debian.org/913835"}, {"tags": ["x_refsource_MISC"], "url": "https://www.openwall.com/lists/oss-security/2018/11/22/3"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://git.php.net/?p=php-src.git%3Ba=commit%3Bh=e5bfea64c81ae34816479bb05d17cdffe45adddb"}, {"name": "106018", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106018"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.php.net/bug.php?id=76428"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.debian.org/913775"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.debian.org/913836"}, {"tags": ["x_refsource_MISC"], "url": "https://antichat.com/threads/463395/#post-4254681"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.php.net/bug.php?id=77153"}, {"name": "[debian-lts-announce] 20181217 [SECURITY] [DLA 1608-1] php5 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00006.html"}, {"name": "USN-4160-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4160-1/"}, {"name": "GLSA-202003-57", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202003-57"}, {"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2866-1] uw-imap security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00031.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-19518", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a \"-oProxyCommand\" argument."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugs.php.net/bug.php?id=77160", "refsource": "MISC", "url": "https://bugs.php.net/bug.php?id=77160"}, {"name": "45914", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/45914/"}, {"name": "[debian-lts-announce] 20190301 [SECURITY] [DLA 1700-1] uw-imap security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00001.html"}, {"name": "https://security.netapp.com/advisory/ntap-20181221-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20181221-0004/"}, {"name": "1042157", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1042157"}, {"name": "DSA-4353", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4353"}, {"name": "https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php", "refsource": "MISC", "url": "https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php"}, {"name": "https://bugs.debian.org/913835", "refsource": "MISC", "url": "https://bugs.debian.org/913835"}, {"name": "https://www.openwall.com/lists/oss-security/2018/11/22/3", "refsource": "MISC", "url": "https://www.openwall.com/lists/oss-security/2018/11/22/3"}, {"name": "https://git.php.net/?p=php-src.git;a=commit;h=e5bfea64c81ae34816479bb05d17cdffe45adddb", "refsource": "CONFIRM", "url": "https://git.php.net/?p=php-src.git;a=commit;h=e5bfea64c81ae34816479bb05d17cdffe45adddb"}, {"name": "106018", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106018"}, {"name": "https://bugs.php.net/bug.php?id=76428", "refsource": "MISC", "url": "https://bugs.php.net/bug.php?id=76428"}, {"name": "https://bugs.debian.org/913775", "refsource": "MISC", "url": "https://bugs.debian.org/913775"}, {"name": "https://bugs.debian.org/913836", "refsource": "MISC", "url": "https://bugs.debian.org/913836"}, {"name": "https://antichat.com/threads/463395/#post-4254681", "refsource": "MISC", "url": "https://antichat.com/threads/463395/#post-4254681"}, {"name": "https://bugs.php.net/bug.php?id=77153", "refsource": "MISC", "url": "https://bugs.php.net/bug.php?id=77153"}, {"name": "[debian-lts-announce] 20181217 [SECURITY] [DLA 1608-1] php5 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00006.html"}, {"name": "USN-4160-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4160-1/"}, {"name": "GLSA-202003-57", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-57"}, {"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2866-1] uw-imap security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00031.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-19518", "datePublished": "2018-11-25T10:00:00", "dateReserved": "2018-11-25T00:00:00", "dateUpdated": "2021-12-29T18:06:37", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "8ADD47D0-0706-44E2-AE36-13AC54F5D768", "versionEndIncluding": "5.6.38", "versionStartIncluding": "5.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B38E1D2-5264-472A-AD02-D65F0B0D94E7", "versionEndIncluding": "7.0.32", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "C7D7FA44-5FC6-4EBE-982C-DAA32F543156", "versionEndIncluding": "7.1.24", "versionStartIncluding": "7.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "97D33246-3D83-4BFD-9149-62188C355DAB", "versionEndIncluding": "7.2.12", "versionStartIncluding": "7.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uw-imap_project:uw-imap:2007f:*:*:*:*:*:*:*", "matchCriteriaId": "E72605F6-53DB-4D26-B0E6-EFF7C772AA52", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*", "matchCriteriaId": "CD783B0C-9246-47D9-A937-6144FE8BFF0F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a \"-oProxyCommand\" argument."}, {"lang": "es", "value": "La versi\u00f3n 2007f de University of Washington IMAP Toolkit en UNIX, tal y como se utiliza en imap_open() en PHP y otros productos, lanza un comando rsh (por medio de la funci\u00f3n imap_rimap en c-client/imap4r1.c y la funci\u00f3n tcp_aopen en osdep/unix/tcp_unix.c) sin prevenir una inyecci\u00f3n de argumentos. Esto podr\u00eda permitir a los atacantes remotos ejecutar comandos arbitrarios del sistema operativo si el nombre del servidor IMAP son entradas no fiables (por ejemplo, si son introducidos por un usuario de una aplicaci\u00f3n web) y si rsh ha sido reemplazado por un programa con sem\u00e1nticas de argumentos diversas. Por ejemplo, si rsh es un enlace a ssh (como es el caso de los sistemas Debian y Ubuntu), el ataque puede utilizar un nombre del servidor IMAP que contenga un argumento \"-oProxyCommand\"."}], "id": "CVE-2018-19518", "lastModified": "2023-11-07T02:55:33.997", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 8.5, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-11-25T10:29:00.250", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://www.securityfocus.com/bid/106018"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://www.securitytracker.com/id/1042157"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://antichat.com/threads/463395/#post-4254681"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://bugs.debian.org/913775"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://bugs.debian.org/913835"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://bugs.debian.org/913836"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Vendor Advisory"], "url": "https://bugs.php.net/bug.php?id=76428"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Vendor Advisory"], "url": "https://bugs.php.net/bug.php?id=77153"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://bugs.php.net/bug.php?id=77160"}, {"source": "cve@mitre.org", "url": "https://git.php.net/?p=php-src.git%3Ba=commit%3Bh=e5bfea64c81ae34816479bb05d17cdffe45adddb"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00006.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00001.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00031.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202003-57"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20181221-0004/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4160-1/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4353"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/45914/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2018/11/22/3"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}