Bugzilla – Bug 1067574
VUL-0: CVE-2017-16651: roundcubemail: Unauthorized access to arbitrary files on the host's filesystem
Last modified: 2020-08-13 16:03:22 UTC
CVE-2017-16651 Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16651 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16651.html http://www.debian.org/security/2017/dsa-4030 http://www.cvedetails.com/cve/CVE-2017-16651/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16651 https://github.com/roundcube/roundcubemail/releases/tag/1.2.7 https://github.com/roundcube/roundcubemail/releases/tag/1.1.10 https://github.com/roundcube/roundcubemail/issues/6026 https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10 https://github.com/roundcube/roundcubemail/releases/tag/1.3.3
Update released for current distributions