Bug 1067574 (CVE-2017-16651)

Summary: VUL-0: CVE-2017-16651: roundcubemail: Unauthorized access to arbitrary files on the host's filesystem
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Lars Vogdt <lars.vogdt>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: aj, astieger, cmueller, lars.vogdt, nix, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE 42.2   
URL: https://smash.suse.de/issue/194743/
Whiteboard: CVSSv3:RedHat:CVE-2017-16651:4.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2017-11-10 07:09:18 UTC 
CVE-2017-16651

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3
allows unauthorized access to arbitrary files on the host's filesystem,
including configuration files, as exploited in the wild in November 2017. The
attacker must be able to authenticate at the target system with a valid
username/password as the attack requires an active session. The issue is related
to file-based attachment plugins and
_task=settings&_action=upload-display&_from=timezone requests.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16651
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16651.html
http://www.debian.org/security/2017/dsa-4030
http://www.cvedetails.com/cve/CVE-2017-16651/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16651
https://github.com/roundcube/roundcubemail/releases/tag/1.2.7
https://github.com/roundcube/roundcubemail/releases/tag/1.1.10
https://github.com/roundcube/roundcubemail/issues/6026
https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10
https://github.com/roundcube/roundcubemail/releases/tag/1.3.3
Comment 1 Lars Vogdt 2020-08-13 16:03:22 UTC 
Update released for current distributions