CVE-2021-32056

NameCVE-2021-32056
DescriptionCyrus IMAP before 3.2.7, and 3.3.x and 3.4.x before 3.4.1, allows remote authenticated users to bypass intended access restrictions on server annotations and consequently cause replication to stall.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cyrus-imapd (PTS)bullseye3.2.6-2+deb11u2fixed
bookworm3.6.1-4+deb12u3fixed
bookworm (security)3.6.1-4+deb12u2fixed
sid3.10.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cyrus-imapdsourcestretch(not affected)
cyrus-imapdsourcebuster(not affected)
cyrus-imapdsource(unstable)3.2.6-2

Notes

[buster] - cyrus-imapd <not-affected> (Vulnerable code introduced in the 3.2.x series)
[stretch] - cyrus-imapd <not-affected> (Vulnerable code introduced in the 3.2.x series)
https://github.com/cyrusimap/cyrus-imapd/commit/621f9e41465b521399f691c241181300fab55995
https://cyrus.topicbox.com/groups/announce/T126392718bc29d6b/cyrus-imap-3-2-7-released
Search for package or bug name: Reporting problems