CVE-2019-19783 in IMAP
Summary
by MITRE
An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/21/2025
This vulnerability exists in Cyrus IMAP server software across multiple versions including 2.5.14 and earlier, 3.0.12 and earlier, and 3.1.7 and earlier. The flaw resides in the handling of sieve scripts which are used to automate email processing tasks such as filtering, forwarding, and archiving messages. When sieve script uploading is enabled or specific non-default sieve options are configured, authenticated users can exploit this weakness to escalate their privileges and create mailboxes with administrative rights. The vulnerability specifically affects the autosieve_createfolder() function located in the imap/lmtp_sieve.c source file, which improperly manages folder creation operations during sieve script execution.
The technical root cause of this vulnerability stems from inadequate input validation and privilege separation within the sieve processing mechanism. When a user submits a sieve script containing a fileinto directive, the system should validate that the target mailbox location is appropriate for the user's permissions. However, the autosieve_createfolder() function fails to properly verify folder paths and access controls, allowing users to specify arbitrary mailbox names that bypass normal administrative restrictions. This represents a classic privilege escalation vulnerability where a low-privilege user can gain elevated access to the mail server's administrative functions. The flaw aligns with CWE-269: "Improper Privilege Management" and CWE-78: "Improper Neutralization of Special Elements used in an OS Command" as it allows unauthorized creation of administrative mailboxes through malformed script directives.
The operational impact of this vulnerability is significant for organizations relying on Cyrus IMAP servers for email services. An authenticated attacker with a valid mail account can leverage this weakness to create administrative mailboxes, potentially gaining access to all user mailboxes, modifying server configurations, or even creating backdoor accounts. This could lead to complete compromise of the email infrastructure, data exfiltration, and persistent access to the organization's communication channels. The vulnerability affects environments where sieve scripting is enabled for user mailboxes, which is common in enterprise email deployments where users need automated email processing capabilities. Organizations using default sieve configurations or enabling non-default options that allow script uploads are particularly at risk.
Mitigation strategies should focus on immediate software updates to patched versions of Cyrus IMAP including 2.5.15, 3.0.13, and 3.1.8 or later. Administrators should disable sieve script uploading capabilities where possible and implement strict access controls for sieve script execution. The recommended approach includes reviewing and tightening sieve configuration options, particularly disabling the fileinto directive when not required, and implementing proper input validation for mailbox names in sieve scripts. Network segmentation and monitoring of sieve script activities can provide additional defense-in-depth measures. Organizations should also consider implementing the principle of least privilege for sieve script execution and regularly audit mailbox creation activities. This vulnerability demonstrates the importance of proper privilege management in email server software and aligns with ATT&CK technique T1078.004: "Valid Accounts: Cloud Accounts" where compromised mail accounts can be used to escalate privileges within the email infrastructure.