CISA KEV 정보
| 취약점명 | Roundcube Webmail File Disclosure Vulnerability |
|---|---|
| 설명 | Roundcube Webmail contains a file disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default. |
| 조치사항 | Apply updates per vendor instructions. |
| 랜섬웨어 캠페인 악용 | Unknown |
| CWE | CWE-552 |
| 등록일 (KEV) | 2021-11-03 |
| 조치 기한 | 2022-05-03 |
| 추가 참고 | https://nvd.nist.gov/vuln/detail/CVE-2017-16651 |
NVD 상세 정보
CVSS v3.1: 7.8 HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HCVSS v2.0: 4.6
AV:L/AC:L/Au:N/C:P/I:P/A:P설명: Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
CWE: CWE-552 | CWE-552
참조
- http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html [Exploit, Third Party Advisory, VDB Entry]
- http://www.securityfocus.com/bid/101793 [Third Party Advisory, VDB Entry]
- https://github.com/roundcube/roundcubemail/issues/6026 [Issue Tracking, Patch, Third Party Advisory]
- https://github.com/roundcube/roundcubemail/releases/tag/1.1.10 [Issue Tracking, Release Notes, Third Party Advisory]
- https://github.com/roundcube/roundcubemail/releases/tag/1.2.7 [Issue Tracking, Release Notes, Third Party Advisory]
- https://github.com/roundcube/roundcubemail/releases/tag/1.3.3 [Issue Tracking, Release Notes, Third Party Advisory]
- https://lists.debian.org/debian-lts-announce/2017/11/msg00039.html [Mailing List, Third Party Advisory]
- https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10 [Issue Tracking, Vendor Advisory]
- https://www.debian.org/security/2017/dsa-4030 [Issue Tracking, Third Party Advisory]
- http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html [Exploit, Third Party Advisory, VDB Entry]
- http://www.securityfocus.com/bid/101793 [Third Party Advisory, VDB Entry]
- https://github.com/roundcube/roundcubemail/issues/6026 [Issue Tracking, Patch, Third Party Advisory]
- https://github.com/roundcube/roundcubemail/releases/tag/1.1.10 [Issue Tracking, Release Notes, Third Party Advisory]
- https://github.com/roundcube/roundcubemail/releases/tag/1.2.7 [Issue Tracking, Release Notes, Third Party Advisory]
- https://github.com/roundcube/roundcubemail/releases/tag/1.3.3 [Issue Tracking, Release Notes, Third Party Advisory]
- ... 외 4건
This product uses the NVD API but is not endorsed or certified by the NVD.