CVE-2018-19518

Impact:
Moderate
Public Date:
2018-11-19
CWE:
CWE-78
Bugzilla:
1654228: CVE-2018-19518 php: imap_open() allows running arbitrary shell commands via mailbox parameter

The MITRE CVE dictionary describes this issue as:

University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.

Find out more about CVE-2018-19518 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 8.1
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux rh-php70-php Affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-php72-php Not affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-php71-php Not affected
Red Hat Enterprise Linux 8 php Not affected
Red Hat Enterprise Linux 7 php Not affected
Red Hat Enterprise Linux 6 php Will not fix
Red Hat Enterprise Linux 5 php53 Will not fix
Red Hat Enterprise Linux 5 php Will not fix
Last Modified

CVE description copyright © 2017, The MITRE Corporation