TROYANOSYVIRUS
Volver a CVEs

CVE-2017-16651

HIGHCISA KEV
7.8

Descripcion

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.

Detalles CVE

Puntuacion CVSS v3.17.8
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueLOCAL
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado11/9/2017
Ultima modificacion4/21/2026
Fuentekev
Avistamientos honeypot0

CISA KEV

VendedorRoundcube
ProductoRoundcube Webmail
Nombre vulnerabilidadRoundcube Webmail File Disclosure Vulnerability
Fecha inclusion KEV2021-11-03
Fecha limite remediacion2022-05-03
Uso en ransomwareUnknown

Productos afectados

debian:debian_linuxroundcube:webmail

Debilidades (CWE)

CWE-552CWE-552

Referencias

http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html(cve@mitre.org)
http://www.securityfocus.com/bid/101793(cve@mitre.org)
https://github.com/roundcube/roundcubemail/issues/6026(cve@mitre.org)
https://github.com/roundcube/roundcubemail/releases/tag/1.1.10(cve@mitre.org)
https://github.com/roundcube/roundcubemail/releases/tag/1.2.7(cve@mitre.org)
https://github.com/roundcube/roundcubemail/releases/tag/1.3.3(cve@mitre.org)
https://lists.debian.org/debian-lts-announce/2017/11/msg00039.html(cve@mitre.org)
https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10(cve@mitre.org)
https://www.debian.org/security/2017/dsa-4030(cve@mitre.org)
http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/101793(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/roundcube/roundcubemail/issues/6026(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/roundcube/roundcubemail/releases/tag/1.1.10(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/roundcube/roundcubemail/releases/tag/1.2.7(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/roundcube/roundcubemail/releases/tag/1.3.3(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2017/11/msg00039.html(af854a3a-2127-422b-91ae-364da2661108)
https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10(af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2017/dsa-4030(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-16651(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.