{"id":"CVE-2018-19518","details":"University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a \"-oProxyCommand\" argument.","modified":"2026-04-16T06:20:42.502552276Z","published":"2018-11-25T10:29:00.250Z","related":["SUSE-SU-2018:3986-1","SUSE-SU-2018:3988-1","SUSE-SU-2018:3995-1"],"references":[{"type":"WEB","url":"https://git.php.net/?p=php-src.git%3Ba=commit%3Bh=e5bfea64c81ae34816479bb05d17cdffe45adddb"},{"type":"WEB","url":"http://www.securitytracker.com/id/1042157"},{"type":"WEB","url":"http://www.securityfocus.com/bid/106018"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00031.html"},{"type":"ADVISORY","url":"https://bugs.debian.org/913835"},{"type":"ADVISORY","url":"https://bugs.php.net/bug.php?id=77160"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202003-57"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4160-1/"},{"type":"ADVISORY","url":"https://bugs.debian.org/913836"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20181221-0004/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00001.html"},{"type":"ADVISORY","url":"https://bugs.debian.org/913775"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/12/msg00006.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4353"},{"type":"EVIDENCE","url":"https://antichat.com/threads/463395/#post-4254681"},{"type":"EVIDENCE","url":"https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php"},{"type":"EVIDENCE","url":"https://bugs.php.net/bug.php?id=76428"},{"type":"EVIDENCE","url":"https://bugs.php.net/bug.php?id=77153"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/45914/"},{"type":"EVIDENCE","url":"https://www.openwall.com/lists/oss-security/2018/11/22/3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"fc1df8e7a6886e29a6ed5bef3f674ac61164e847"},{"last_affected":"b0822792c8d4c8d535ea1beb8ea63025496668e7"},{"introduced":"60fffd296abce5fc071f3c173c25a2696cf683c6"},{"last_affected":"cff4562e6dfe5db877504f310bf00e00198fbb73"},{"introduced":"0221e9f827632942225586687a33cfd554860d5e"},{"last_affected":"5eadf3a999d07c85a01b0efd648e3419bc26d181"},{"introduced":"8148cbb78841c8ec0759c0836e7f35dec799d300"},{"last_affected":"6c5fc072c8279ba76f5981ba8a0ff4dd7585bf29"},{"introduced":"0"},{"last_affected":"5dc92c2117cafc61daaaaa240fd46c3ac33872a4"}],"database_specific":{"versions":[{"introduced":"5.6.0"},{"last_affected":"5.6.38"},{"introduced":"7.0.0"},{"last_affected":"7.0.32"},{"introduced":"7.1.0"},{"last_affected":"7.1.24"},{"introduced":"7.2.0"},{"last_affected":"7.2.12"},{"introduced":"0"},{"last_affected":"8.0"}]}},{"type":"GIT","repo":"https://github.com/uw-imap/imap","events":[{"introduced":"0"},{"last_affected":"22f316e36dc00e445408f7a47750b7fa9c3ce369"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2007f"}]}}],"versions":["POST_64BIT_BRANCH_MERGE","POST_AST_MERGE","POST_PHP7_NSAPI_REMOVAL","POST_PHP7_REMOVALS","POST_PHPNG_MERGE","PRE_64BIT_BRANCH_MERGE","PRE_AST_MERGE","PRE_PHP7_EREG_MYSQL_REMOVALS","PRE_PHP7_NSAPI_REMOVAL","PRE_PHP7_REMOVALS","imap-2007f_upstream","php-5.6.38","php-7.0.32","php-7.1.24","php-7.1.24RC1","php-7.2.12","php-8.0.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"19.04"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-19518.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}