CVE-2020-12641: Roundcube Webmail Remote Code Execution Vulnerability
First published: Mon May 04 2020(Updated: )
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Roundcube Webmail | >=1.2.0<1.2.10 | |
| Roundcube Webmail | >=1.3.0<1.3.11 | |
| Roundcube Webmail | >=1.4.0<1.4.4 | |
| openSUSE Backports SLE | =15.0-sp1 | |
| openSUSE Backports SLE | =15.0-sp2 | |
| openSUSE Leap | =15.1 | |
| openSUSE Leap | =15.2 | |
| Roundcube Roundcube Webmail | ||
| >=1.2.0<1.2.10 | ||
| >=1.3.0<1.3.11 | ||
| >=1.4.0<1.4.4 | ||
| =15.0-sp1 | ||
| =15.0-sp2 | ||
| =15.1 | ||
| =15.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12641-Command%20Injection-Roundcube
- https://github.com/roundcube/roundcubemail/commit/fcfb099477f353373c34c8a65c9035b06b364db3
- https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4
- https://github.com/roundcube/roundcubemail/releases/tag/1.4.4
- https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10
- https://security.gentoo.org/glsa/202007-41
- https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10;
- https://nvd.nist.gov/vuln/detail/CVE-2020-12641
Frequently Asked Questions
What is CVE-2020-12641?
CVE-2020-12641 is a remote code execution vulnerability in Roundcube Webmail.
How does the CVE-2020-12641 vulnerability work?
The CVE-2020-12641 vulnerability allows attackers to execute code by using shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
Which software is affected by CVE-2020-12641?
Roundcube Webmail versions 1.2.10, 1.3.11, and 1.4.4 are affected by CVE-2020-12641.
How can an attacker exploit CVE-2020-12641?
An attacker can exploit CVE-2020-12641 by injecting malicious shell metacharacters in the configuration settings for im_convert_path or im_identify_path, allowing them to execute arbitrary code.
How can I mitigate or fix the CVE-2020-12641 vulnerability?
To mitigate CVE-2020-12641, it is recommended to update Roundcube Webmail to versions 1.2.10, 1.3.11, or 1.4.4, which include security updates addressing the vulnerability.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/description
- agent/weakness
- agent/severity
- agent/remedy
- agent/title
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/references
- agent/event
- agent/tags
- collector/nvd-cve
- source/NVD
- vendor/roundcube
- canonical/roundcube webmail
- version/roundcube webmail/1.2.0
- version/roundcube webmail/1.3.0
- version/roundcube webmail/1.4.0
- vendor/opensuse
- canonical/opensuse backports sle
- version/opensuse backports sle/15.0-sp1
- version/opensuse backports sle/15.0-sp2
- canonical/opensuse leap
- version/opensuse leap/15.1
- version/opensuse leap/15.2
- canonical/roundcube roundcube webmail