Search for vulnerabilities
Vulnerability details: VCID-tz8v-ae8r-aaaa
Vulnerability ID VCID-tz8v-ae8r-aaaa
Aliases CVE-2018-19518
Summary University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.
Status Published
Exploitability 2.0
Weighted Severity 7.7
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
System Score Found at
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19518.html
cvssv3 8.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-19518.json
generic_textual Medium https://antichat.com/threads/463395/#post-4254681
epss 0.93964 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.93964 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.93964 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.93964 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.93964 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.93964 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.93964 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.93964 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.93964 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.93964 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.93964 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.93964 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.94078 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.94081 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.94081 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.94081 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.94081 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.96927 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.96927 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.96927 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.96927 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.96927 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
epss 0.96927 https://api.first.org/data/v1/epss?cve=CVE-2018-19518
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1654228
generic_textual Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14851
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14883
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17082
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19518
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19935
generic_textual Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20783
cvssv3 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
generic_textual Medium https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php
cvssv2 8.5 https://nvd.nist.gov/vuln/detail/CVE-2018-19518
cvssv3 7.5 https://nvd.nist.gov/vuln/detail/CVE-2018-19518
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2018-19518
generic_textual Medium https://ubuntu.com/security/notices/USN-4160-1
generic_textual Medium https://usn.ubuntu.com/usn/usn-4160-1
generic_textual Medium https://www.openwall.com/lists/oss-security/2018/11/22/3
Reference id Reference type URL
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19518.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-19518.json
https://antichat.com/threads/463395/#post-4254681
https://api.first.org/data/v1/epss?cve=CVE-2018-19518
https://bugs.debian.org/913775
https://bugs.debian.org/913835
https://bugs.debian.org/913836
https://bugs.php.net/bug.php?id=76428
https://bugs.php.net/bug.php?id=77153
https://bugs.php.net/bug.php?id=77160
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14851
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14883
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19518
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19935
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20783
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php
https://git.php.net/?p=php-src.git%3Ba=commit%3Bh=e5bfea64c81ae34816479bb05d17cdffe45adddb
https://git.php.net/?p=php-src.git;a=commit;h=e5bfea64c81ae34816479bb05d17cdffe45adddb
https://lists.debian.org/debian-lts-announce/2018/12/msg00006.html
https://lists.debian.org/debian-lts-announce/2019/03/msg00001.html
https://lists.debian.org/debian-lts-announce/2021/12/msg00031.html
https://security.gentoo.org/glsa/202003-57
https://security.netapp.com/advisory/ntap-20181221-0004/
https://ubuntu.com/security/notices/USN-4160-1
https://usn.ubuntu.com/4160-1/
https://usn.ubuntu.com/usn/usn-4160-1
https://www.debian.org/security/2018/dsa-4353
https://www.exploit-db.com/exploits/45914/
https://www.openwall.com/lists/oss-security/2018/11/22/3
http://www.securityfocus.com/bid/106018
http://www.securitytracker.com/id/1042157
1654228 https://bugzilla.redhat.com/show_bug.cgi?id=1654228
913775 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913775
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
cpe:2.3:a:uw-imap_project:uw-imap:2007f:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:uw-imap_project:uw-imap:2007f:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
CVE-2018-19518 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/45914.rb
CVE-2018-19518 https://nvd.nist.gov/vuln/detail/CVE-2018-19518
CVE-2018-19518 Exploit https://raw.githubusercontent.com/rapid7/metasploit-framework/b3ad4a03581f53c670d91e82d2a4ef00ec392f8f/modules/exploits/linux/http/php_imap_open_rce.rb
Data source Metasploit
Description The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imap_open to execute arbitrary commands. While many custom applications may use imap_open, this exploit works against the following applications: e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use. Prestashop exploitation requires the admin URI, and administrator credentials. suiteCRM/e107 require administrator credentials. Fixed in php 5.6.39.
Note 
{}
Ransomware campaign use Unknown
Source publication date Oct. 23, 2018
Platform Unix
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/http/php_imap_open_rce.rb
Data source Exploit-DB
Date added Nov. 29, 2018
Description PHP imap_open - Remote Code Execution (Metasploit)
Ransomware campaign use Known
Source publication date Nov. 29, 2018
Exploit type remote
Platform linux
Source update date Nov. 29, 2018
Source URL https://raw.githubusercontent.com/rapid7/metasploit-framework/b3ad4a03581f53c670d91e82d2a4ef00ec392f8f/modules/exploits/linux/http/php_imap_open_rce.rb
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-19518.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C Found at https://nvd.nist.gov/vuln/detail/CVE-2018-19518
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-19518
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-19518
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.99875
EPSS Score 0.93964
Published At June 3, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.