CVE-2021-44026: Roundcube Webmail SQL Injection Vulnerability
First published: Fri Nov 19 2021(Updated: )
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/roundcube | 1.3.17+dfsg.1-1~deb10u2 1.3.17+dfsg.1-1~deb10u3 1.4.14+dfsg.1-1~deb11u1 1.4.13+dfsg.1-1~deb11u1 1.6.3+dfsg-1~deb12u1 1.6.4+dfsg-1 | |
| Roundcube Webmail | <1.3.17 | |
| Roundcube Webmail | >=1.4.0<1.4.12 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Roundcube Roundcube Webmail | ||
| <1.3.17 | ||
| >=1.4.0<1.4.12 | ||
| =33 | ||
| =34 | ||
| =9.0 | ||
| =10.0 | ||
| =11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1
- https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa
- https://security-tracker.debian.org/tracker/CVE-2021-44026
- https://bugs.debian.org/1000156
- https://lists.debian.org/debian-lts-announce/2021/12/msg00004.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDVGIZMQJ5IOM47Y3SAAJRN5VPANKTKO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TP3Y5RXTUUOUODNG7HFEKWYNIPIT2NL4/
- https://www.debian.org/security/2021/dsa-5013
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NDVGIZMQJ5IOM47Y3SAAJRN5VPANKTKO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TP3Y5RXTUUOUODNG7HFEKWYNIPIT2NL4/
- https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17-released;
- https://nvd.nist.gov/vuln/detail/CVE-2021-44026
Frequently Asked Questions
What is CVE-2021-44026?
CVE-2021-44026 is a vulnerability known as Roundcube Webmail SQL Injection Vulnerability.
How does the Roundcube Webmail SQL Injection vulnerability work?
The Roundcube Webmail SQL Injection vulnerability allows an attacker to inject SQL commands via search or search_params and potentially gain unauthorized access to the database.
What software is affected by CVE-2021-44026?
Roundcube Webmail versions 1.4.11 and earlier, and versions 1.3.16 and earlier, are affected by this vulnerability.
How can I fix the Roundcube Webmail SQL Injection vulnerability?
To fix the Roundcube Webmail SQL Injection vulnerability, update to version 1.4.12 or 1.3.17, which contain the necessary security patches.
What is the severity of CVE-2021-44026?
The severity of CVE-2021-44026 is high.
- collector/security-tracker-debian
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/severity
- agent/weakness
- agent/title
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/remedy
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/references
- agent/tags
- collector/nvd-cve
- package-manager/debian
- vendor/roundcube
- canonical/roundcube webmail
- version/roundcube webmail/1.4.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- canonical/roundcube roundcube webmail