CVE-2017-16651

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-16651

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16651.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2017-16651

Related

Published

2017-11-09T14:29:00Z

Modified

2024-09-18T02:47:00.765679Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and task=settings&action=upload-display&_from=timezone requests.

References

Affected packages

Alpine:v3.3 / roundcubemail

Package

Name: roundcubemail
Purl: pkg:apk/alpine/roundcubemail?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.10-r0

Affected versions

0.*

0.2.1-r0

0.2.2-r0

0.3.1-r0

0.3.1-r1

0.4-r0

0.4-r1

0.4.2-r0

0.4.2-r1

0.5.1-r0

0.5.2-r0

0.5.2-r1

0.5.2-r2

0.5.3-r0

0.5.4-r0

0.6-r0

0.7-r0

0.7.1-r0

0.7.2-r0

0.8.0-r0

0.8.0-r1

0.8.1-r0

0.8.2-r0

0.8.3-r0

0.8.3-r1

0.8.4-r0

0.8.5-r0

0.8.6-r0

0.9.0-r0

0.9.1-r0

0.9.2-r0

0.9.3-r0

0.9.4-r0

0.9.5-r0

1.*

1.0.1-r0

1.0.2-r0

1.0.3-r0

1.0.4-r0

1.0.5-r0

1.1.0-r0

1.1.1-r0

1.1.2-r0

1.1.2-r1

1.1.2-r2

1.1.3-r0

1.1.4-r0

1.1.5-r0

1.1.6-r0

1.1.7-r0

1.1.8-r0

1.1.9-r0

Alpine:v3.4 / roundcubemail

Package

Name: roundcubemail
Purl: pkg:apk/alpine/roundcubemail?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.7-r0

Affected versions

0.*

0.2.1-r0

0.2.2-r0

0.3.1-r0

0.3.1-r1

0.4-r0

0.4-r1

0.4.2-r0

0.4.2-r1

0.5.1-r0

0.5.2-r0

0.5.2-r1

0.5.2-r2

0.5.3-r0

0.5.4-r0

0.6-r0

0.7-r0

0.7.1-r0

0.7.2-r0

0.8.0-r0

0.8.0-r1

0.8.1-r0

0.8.2-r0

0.8.3-r0

0.8.3-r1

0.8.4-r0

0.8.5-r0

0.8.6-r0

0.9.0-r0

0.9.1-r0

0.9.2-r0

0.9.3-r0

0.9.4-r0

0.9.5-r0

1.*

1.0.1-r0

1.0.2-r0

1.0.3-r0

1.0.4-r0

1.0.5-r0

1.1.0-r0

1.1.1-r0

1.1.2-r0

1.1.2-r1

1.1.2-r2

1.1.3-r0

1.1.4-r0

1.1.5-r0

1.1.5-r1

1.2.0-r0

1.2.0-r1

1.2.0-r2

1.2.2-r0

1.2.3-r0

1.2.4-r0

1.2.5-r0

Alpine:v3.5 / roundcubemail

Package

Name: roundcubemail
Purl: pkg:apk/alpine/roundcubemail?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.7-r0

Affected versions

0.*

0.2.1-r0

0.2.2-r0

0.3.1-r0

0.3.1-r1

0.4-r0

0.4-r1

0.4.2-r0

0.4.2-r1

0.5.1-r0

0.5.2-r0

0.5.2-r1

0.5.2-r2

0.5.3-r0

0.5.4-r0

0.6-r0

0.7-r0

0.7.1-r0

0.7.2-r0

0.8.0-r0

0.8.0-r1

0.8.1-r0

0.8.2-r0

0.8.3-r0

0.8.3-r1

0.8.4-r0

0.8.5-r0

0.8.6-r0

0.9.0-r0

0.9.1-r0

0.9.2-r0

0.9.3-r0

0.9.4-r0

0.9.5-r0

1.*

1.0.1-r0

1.0.2-r0

1.0.3-r0

1.0.4-r0

1.0.5-r0

1.1.0-r0

1.1.1-r0

1.1.2-r0

1.1.2-r1

1.1.2-r2

1.1.3-r0

1.1.4-r0

1.1.5-r0

1.1.5-r1

1.2.0-r0

1.2.0-r1

1.2.0-r2

1.2.1-r0

1.2.2-r0

1.2.3-r0

1.2.4-r0

1.2.5-r0

1.2.5-r1

Debian:11 / roundcube

Package

Name: roundcube
Purl: pkg:deb/debian/roundcube?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.3+dfsg.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / roundcube

Package

Name: roundcube
Purl: pkg:deb/debian/roundcube?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.3+dfsg.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / roundcube

Package

Name: roundcube
Purl: pkg:deb/debian/roundcube?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.3+dfsg.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/roundcube/roundcubemail

Affected ranges

Type: GIT
Repo: https://github.com/roundcube/roundcubemail
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

12813e9d430c057659a07c37b5680b6fd78efc12

Last affected

1d7be448f309d33c6ad4252c0abf581402891f22

Last affected

2c7f3751ab5a1b04d7bb300cdac419848ccc6f32

Last affected

3644b02d0bd0d472f593fb2a732b2b5bc762fd50

Last affected

4181f296087397d444f944a47151e94212a53e8e

Last affected

444fdb6161bdb0c5e90d41e30803f10e8dd5f9e8

Last affected

854aa7f35f6ed963033e2c0c4735852af7eca21b

Last affected

b6132b2bcd69e648f74677b741e4dfbfe7bb77cc

Last affected

cbd35626f7db7855f3b5e2db00d28ecc1554e9f4

Last affected

e62a7d0dfa1ffe603c9a0a6d967bd738498e1d0f

Last affected

f04fc506b0bd2c8033b657978baa1a9f34d0eab6

Affected versions

1.*

1.1-beta

1.1-rc

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9

1.2-beta

1.2-rc

1.2.0

1.2.1

1.3-beta

1.3-rc

1.3.0

1.3.1

1.3.2

v0.*

v0.1-beta2

v1.*

v1.0-beta