TROYANOSYVIRUS
Voltar para CVEs

CVE-2017-16651

HIGHCISA KEV
7.8

Descricao

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.

Detalhes CVE

Pontuacao CVSS v3.17.8
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueLOCAL
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioNONE
Publicado11/9/2017
Ultima modificacao4/21/2026
Fontekev
Avistamentos honeypot0

CISA KEV

FornecedorRoundcube
ProdutoRoundcube Webmail
Nome da vulnerabilidadeRoundcube Webmail File Disclosure Vulnerability
Data inclusao KEV2021-11-03
Prazo de remediacao2022-05-03
Uso em ransomwareUnknown

Produtos afetados

debian:debian_linuxroundcube:webmail

Fraquezas (CWE)

CWE-552CWE-552

Referencias

http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html(cve@mitre.org)
http://www.securityfocus.com/bid/101793(cve@mitre.org)
https://github.com/roundcube/roundcubemail/issues/6026(cve@mitre.org)
https://github.com/roundcube/roundcubemail/releases/tag/1.1.10(cve@mitre.org)
https://github.com/roundcube/roundcubemail/releases/tag/1.2.7(cve@mitre.org)
https://github.com/roundcube/roundcubemail/releases/tag/1.3.3(cve@mitre.org)
https://lists.debian.org/debian-lts-announce/2017/11/msg00039.html(cve@mitre.org)
https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10(cve@mitre.org)
https://www.debian.org/security/2017/dsa-4030(cve@mitre.org)
http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/101793(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/roundcube/roundcubemail/issues/6026(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/roundcube/roundcubemail/releases/tag/1.1.10(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/roundcube/roundcubemail/releases/tag/1.2.7(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/roundcube/roundcubemail/releases/tag/1.3.3(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2017/11/msg00039.html(af854a3a-2127-422b-91ae-364da2661108)
https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10(af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2017/dsa-4030(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-16651(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.