CVE-2018-1000071
Published: 13 March 2018
roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
roundcube Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
| bionic |
Needed
|
|
| cosmic |
Ignored
(end of life)
|
|
| disco |
Ignored
(end of life)
|
|
| eoan |
Ignored
(end of life)
|
|
| focal |
Not vulnerable
(1.4.3+dfsg.1-1)
|
|
| groovy |
Not vulnerable
(1.4.3+dfsg.1-1)
|
|
| hirsute |
Not vulnerable
(1.4.3+dfsg.1-1)
|
|
| impish |
Not vulnerable
(1.4.11+dfsg.1-4)
|
|
| jammy |
Not vulnerable
(1.5.0+dfsg.1-2)
|
|
| kinetic |
Not vulnerable
(1.5.0+dfsg.1-2)
|
|
| lunar |
Not vulnerable
(1.5.0+dfsg.1-2)
|
|
| mantic |
Not vulnerable
(1.5.0+dfsg.1-2)
|
|
| trusty |
Does not exist
(trusty was not-affected)
|
|
| upstream |
Released
(1.4)
|
|
| xenial |
Needed
|
|
|
Patches: upstream: https://github.com/roundcube/roundcubemail/commit/48417c5fc9f6eb4b90500c09596606d489c700b5 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |