First published: Thu Nov 09 2017(Updated: )
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Roundcube Webmail | <=1.1.9 | |
Roundcube Webmail | =1.2.0 | |
Roundcube Webmail | =1.2.1 | |
Roundcube Webmail | =1.2.2 | |
Roundcube Webmail | =1.2.3 | |
Roundcube Webmail | =1.2.4 | |
Roundcube Webmail | =1.2.5 | |
Roundcube Webmail | =1.2.6 | |
Roundcube Webmail | =1.3.0 | |
Roundcube Webmail | =1.3.1 | |
Roundcube Webmail | =1.3.2 | |
Debian Debian Linux | =7.0 | |
Debian Debian Linux | =9.0 | |
debian/roundcube | 1.3.17+dfsg.1-1~deb10u2 1.3.17+dfsg.1-1~deb10u3 1.4.14+dfsg.1-1~deb11u1 1.4.13+dfsg.1-1~deb11u1 1.6.3+dfsg-1~deb12u1 1.6.4+dfsg-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for the Roundcube Webmail file disclosure vulnerability is CVE-2017-16651.
The severity of CVE-2017-16651 is high with a CVSS score of 7.8.
Roundcube Webmail versions before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 are affected by CVE-2017-16651.
An attacker can exploit CVE-2017-16651 by gaining unauthorized access to arbitrary files on the host's filesystem, including configuration files.
Yes, a fix for CVE-2017-16651 is available. Users should update to Roundcube Webmail version 1.1.10, 1.2.7, or 1.3.3 or later.