CRITICAL🇵🇱 Wersja polska

CVE-2025-23394

CVSS 9.8v3.1pub. 2025-05-26upd. 2026-04-15

A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.This issue affects openSUSE Tumbleweed cyrus-imapd before 3.8.4-2.1.

🤖 AI Analysis
How it works

The vulnerability consists of improper handling of symbolic links (symlink) by a process running in the context of the 'cyrus' user. An attacker with access to this account can prepare a symlink pointing to privileged system resources, which leads to file operations being executed in the root context. This is a classic case of CWE-61, where the application follows a symbolic link without proper verification of its target.

Impact

An attacker with access to the 'cyrus' account can obtain full system administrator (root) privileges, enabling complete takeover of the operating system, including reading, modifying, or deleting arbitrary files.

Mitigation & patch

The cyrus-imapd package should be updated to version 3.8.4-2.1 or later on openSUSE Tumbleweed. Details are available in the vendor references at bugzilla.suse.com.

Who is affected

openSUSE Tumbleweed with cyrus-imapd package in versions prior to 3.8.4-2.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References