CVE-2018-9846: Input Validation
First published: Sat Apr 07 2018(Updated: )
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/roundcube | 1.3.17+dfsg.1-1~deb10u2 1.3.17+dfsg.1-1~deb10u3 1.4.14+dfsg.1-1~deb11u1 1.4.13+dfsg.1-1~deb11u1 1.6.3+dfsg-1~deb12u1 1.6.4+dfsg-1 | |
| barnraiser AROUNDMe | >=1.2.0<=1.3.5 | |
| Debian | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/roundcube/roundcubemail/issues/6238
- https://security-tracker.debian.org/tracker/CVE-2018-9846
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9846
- https://github.com/roundcube/roundcubemail/commit/e3dd5b66d236867572e68fcb80281e9268a0cfb0
- https://github.com/roundcube/roundcubemail/commit/cdeb6234a2e029c499898c3432fdf5b2cf093640
- https://github.com/roundcube/roundcubemail/commit/5b7e9a2c960eb4fd2364921297020a5dcd2d7dbc
- https://github.com/roundcube/roundcubemail/commit/c69b851b8a704f6483ec9d1cae7cd1ecd33c3343
- https://github.com/roundcube/roundcubemail/commit/7901047474729a7f466eb8c59c92a36fc7cf0e70
- https://security-tracker.debian.org/tracker/CVE-2018-1000071
- https://github.com/roundcube/roundcubemail/issues/6173
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895184
- https://github.com/roundcube/roundcubemail/issues/6229
- https://medium.com/@ndrbasi/cve-2018-9846-roundcube-303097048b0a
- https://www.debian.org/security/2018/dsa-4181
- https://medium.com/%40ndrbasi/cve-2018-9846-roundcube-303097048b0a
Frequently Asked Questions
What is CVE-2018-9846?
CVE-2018-9846 is a vulnerability in Roundcube versions 1.2.0 to 1.3.5 with the archive plugin enabled and configured.
What is the severity of CVE-2018-9846?
CVE-2018-9846 has a severity score of 8.8 (high).
How can CVE-2018-9846 be exploited?
CVE-2018-9846 can be exploited through an MX (IMAP) injection attack using the unsanitized '_uid' parameter in the 'archive.php' file.
Which software is affected by CVE-2018-9846?
Roundcube versions 1.2.0 to 1.3.5 with the archive plugin enabled and configured are affected. Additionally, Roundcube Webmail and Debian Linux version 9.0 are also affected.
How can I fix the CVE-2018-9846 vulnerability?
To fix the CVE-2018-9846 vulnerability, update Roundcube to version 1.3.17+dfsg.1-1~deb10u2, 1.3.17+dfsg.1-1~deb10u3, 1.4.14+dfsg.1-1~deb11u1, 1.4.13+dfsg.1-1~deb11u1, 1.6.3+dfsg-1~deb12u1, or 1.6.4+dfsg-1.
- collector/debian-bugs
- alias/CVE-2018-9846
- collector/security-tracker-debian
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/remedy
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/event
- agent/description
- agent/first-publish-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/roundcube
- canonical/barnraiser aroundme
- version/barnraiser aroundme/1.2.0
- version/barnraiser aroundme/1.3.5
- vendor/debian
- canonical/debian
- version/debian/9.0