Nixpkgs Security Tracker

Permalink CVE-2025-23394

9.8 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 6 months ago

daily-backup.sh script in cyrus-imapd allows escalation from cyrus to root

A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.This issue affects openSUSE Tumbleweed cyrus-imapd before 3.8.4-2.1.

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-23394
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-23394

Affected products

cyrus-imapd

<3.8.4-2.1

Matching in nixpkgs

pkgs.cyrus-imapd

Email, contacts and calendar server

nixos-unstable -
- nixpkgs-unstable 3.12.1

Package maintainers

@pingiun Jelle Besseling <nixos@pingiun.com>
@Moraxyc Moraxyc Xu <i@qaq.li>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.cyrus-imapd

Package maintainers