CVE-2017-16651
Published: 9 November 2017
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
roundcube Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
| bionic |
Not vulnerable
(1.3.6+dfsg.1-1)
|
|
| cosmic |
Not vulnerable
(1.3.6+dfsg.1-1)
|
|
| disco |
Not vulnerable
(1.3.6+dfsg.1-1)
|
|
| eoan |
Not vulnerable
(1.3.6+dfsg.1-1)
|
|
| focal |
Not vulnerable
(1.3.6+dfsg.1-1)
|
|
| groovy |
Not vulnerable
(1.3.6+dfsg.1-1)
|
|
| hirsute |
Not vulnerable
(1.3.6+dfsg.1-1)
|
|
| impish |
Not vulnerable
(1.3.6+dfsg.1-1)
|
|
| jammy |
Not vulnerable
(1.3.6+dfsg.1-1)
|
|
| kinetic |
Not vulnerable
(1.3.6+dfsg.1-1)
|
|
| lunar |
Not vulnerable
(1.3.6+dfsg.1-1)
|
|
| mantic |
Not vulnerable
(1.3.6+dfsg.1-1)
|
|
| noble |
Not vulnerable
(1.3.6+dfsg.1-1)
|
|
| trusty |
Does not exist
(trusty was needed)
|
|
| upstream |
Released
(1.3.3+dfsg.1-1)
|
|
| xenial |
Needed
|
|
| zesty |
Ignored
(end of life)
|
|
|
Patches: upstream: https://github.com/roundcube/roundcubemail/commit/2a32f51c91d5e9c7b1a9d931846dd44c008ff36d upstream: https://github.com/roundcube/roundcubemail/commit/c90ad5a97784fb32683b8e3c21d6c95baab6d806 upstream: https://github.com/roundcube/roundcubemail/commit/9be2224c779d7abc7b29eea2b83a8a3671c543e0 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.8 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
- https://github.com/roundcube/roundcubemail/issues/6026
- https://github.com/roundcube/roundcubemail/releases/tag/1.1.10
- https://github.com/roundcube/roundcubemail/releases/tag/1.2.7
- https://github.com/roundcube/roundcubemail/releases/tag/1.3.3
- https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10
- https://www.cve.org/CVERecord?id=CVE-2017-16651
- NVD
- Launchpad
- Debian