CVE-2017-8114
Publication date 29 April 2017
Last updated 24 July 2024
Ubuntu priority
Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| roundcube | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Vulnerable
|
|
| 14.04 LTS trusty | Not in release | |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.8 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
Other references
- https://github.com/roundcube/roundcubemail/releases/tag/1.2.5
- https://github.com/roundcube/roundcubemail/commit/6e054a37d13dc3772d0aa454a32d5dc3bdcc7003 (1.2.x)
- https://github.com/roundcube/roundcubemail/releases/tag/1.1.9
- https://github.com/roundcube/roundcubemail/commit/10b227d70a03e33682aaaa0138e84f9256f3cd50 (1.1.x)
- https://github.com/roundcube/roundcubemail/releases/tag/1.0.11
- https://github.com/roundcube/roundcubemail/commit/271426429bfbb5b63e6dec91b1e4780e8ef1c67e (1.0.x)
- https://www.cve.org/CVERecord?id=CVE-2017-8114