CVE-2015-8078
CVE-2015-8078 is a high-severity vulnerability in Cyrus Imap with a CVSS 2.0 base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-189.
Key facts
- Severity: High (CVSS 2.0 base score 7.5)
- EPSS exploit prediction: 3% (84th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-189
- Affected product: Cyrus Imap
- Published:
- Last modified:
Description
Integer overflow in the index_urlfetch function in imap/index.c in Cyrus IMAP 2.3.19, 2.4.18, and 2.5.6 allows remote attackers to have unspecified impact via vectors related to urlfetch range checks and the section_offset variable. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8076.
Frequently asked questions
- What is CVE-2015-8078?
- Integer overflow in the index_urlfetch function in imap/index.c in Cyrus IMAP 2.3.19, 2.4.18, and 2.5.6 allows remote attackers to have unspecified impact via vectors related to urlfetch range checks and the section_offset variable. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8076.
- How severe is CVE-2015-8078?
- CVE-2015-8078 has a CVSS 2.0 base score of 7.5, rated high severity.
- Is CVE-2015-8078 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 3% (84th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2015-8078?
- CVE-2015-8078 primarily affects Cyrus Imap. In total, 43 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2015-8078?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2015-8078 published?
- CVE-2015-8078 was published on 2015-12-03 and last updated on 2026-06-17.
References
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00000.html
- http://lists.opensuse.org/opensuse-updates/2015-11/msg00156.html
- http://www.openwall.com/lists/oss-security/2015/11/04/3
- http://www.securitytracker.com/id/1034282
- https://cyrus.foundation/cyrus-imapd/commit/?id=6fb6a272171f49c79ba6ab7c6403eb25b39ec1b2
- https://docs.cyrus.foundation/imap/release-notes/2.5/x/2.5.7.html
Affected products (43)
- cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.12:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.13:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.14:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.15:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.16:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.17:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.3.18:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.4.12:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.4.13:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.4.14:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.4.15:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.4.16:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.4.17:*:*:*:*:*:*:*
- cpe:2.3:a:cyrus:imap:2.5.0:*:*:*:*:*:*:*
More vulnerabilities in Cyrus Imap
- CVE-2019-18928 — Critical (CVSS 9.8): Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be…
- CVE-2019-11356 — Critical (CVSS 9.8): The CalDAV feature in httpd in Cyrus IMAP 2.5.x through 2.5.12 and 3.0.x through 3.0.9 allows remote attackers to…
- CVE-2017-14230 — Critical (CVSS 9.1): In the mboxlist_do_find function in imap/mboxlist.c in Cyrus IMAP before 3.0.4, an off-by-one error in prefix…
- CVE-2021-33582 — High (CVSS 7.5): Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input…
- CVE-2015-8077 — High (CVSS 7.5): Integer overflow in the index_urlfetch function in imap/index.c in Cyrus IMAP 2.3.19, 2.4.18, and 2.5.6 allows remote…
- CVE-2015-8076 — High (CVSS 7.5): The index_urlfetch function in index.c in Cyrus IMAP 2.3.x before 2.3.19, 2.4.x before 2.4.18, 2.5.x before 2.5.4…
All CVEs affecting Cyrus Imap →
Other CWE-189 (Numeric Errors) vulnerabilities
- CVE-2015-8396 — Critical (CVSS 10.0): Integer overflow in the ImageRegionReader::ReadIntoBuffer function in…
- CVE-2015-7205 — Critical (CVSS 10.0): Integer underflow in the RTPReceiverVideo::ParseRtpPacket function in Mozilla Firefox before 43.0 and Firefox ESR 38.x…
- CVE-2015-6575 — Critical (CVSS 10.0): SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I does not properly consider integer promotion, which…
- CVE-2015-3864 — Critical (CVSS 10.0): Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in…
- CVE-2015-3836 — Critical (CVSS 10.0): The Parse_wave function in arm-wt-22k/lib_src/eas_mdls.c in the Sonivox DLS-to-EAS converter in Android before 5.1.1…
- CVE-2015-3834 — Critical (CVSS 10.0): Multiple integer overflows in the BnHDCP::onTransact function in media/libmedia/IHDCP.cpp in libstagefright in Android…