Back to KEVs

CVE-2017-16651

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem,...

Basic Information

CVE State
PUBLISHED
Reserved Date
November 07, 2017
Published Date
November 09, 2017
Last Updated
February 04, 2025
Vendor
Roundcube
Product
Webmail
Description
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
Tags
cisa

CVSS Scores

CVSS v3.1

7.8 - HIGH

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

4.6

Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2021-11-03 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2021-01-06 01:46:39 UTC) Source

References

https://github.com/roundcube/roundcubemail/releases/tag/1.3.3 https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10 https://lists.debian.org/debian-lts-announce/2017/11/msg00039.html https://github.com/roundcube/roundcubemail/releases/tag/1.1.10 http://www.securityfocus.com/bid/101793 https://github.com/roundcube/roundcubemail/releases/tag/1.2.7 https://www.debian.org/security/2017/dsa-4030 https://github.com/roundcube/roundcubemail/issues/6026 http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html

Known Exploited Vulnerability Information

Source Added Date
CISA 2021-11-03 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

ropbear/CVE-2017-16651

Type: github • Created: 2021-01-06 01:46:39 UTC • Stars: 3

Python implementation of Roundcube LFI (CVE-2017-16651)

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Proof of Concept Exploit Available

  • Added to KEVIntel