CVE-2017-16651
KEV
🔴 Łataj teraz
Luka w Roundcube Webmail umożliwia nieautoryzowany dostęp do plików na serwerze.
CVSS
7.8
EPSS
37.3%
Exploit
weaponized
Vendor
roundcube
Opis źródłowy (NVD)
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
exploit
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 7.8 |
| CISA KEV (aktywnie wykorzystywane) | Tak |
| FIRST EPSS (prawdopodobieństwo exploita) | 37.3% |
| Opublikowano (NVD) | 2017-11-09 14:29:00 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-21 18:00:40 UTC |
Referencje
- http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html (cve@mitre.org) [Exploit, Third Party Advisory, VDB Entry]
- http://www.securityfocus.com/bid/101793 (cve@mitre.org) [Third Party Advisory, VDB Entry]
- https://github.com/roundcube/roundcubemail/issues/6026 (cve@mitre.org) [Issue Tracking, Patch, Third Party Advisory]
- https://github.com/roundcube/roundcubemail/releases/tag/1.1.10 (cve@mitre.org) [Issue Tracking, Release Notes, Third Party Advisory]
- https://github.com/roundcube/roundcubemail/releases/tag/1.2.7 (cve@mitre.org) [Issue Tracking, Release Notes, Third Party Advisory]
- https://github.com/roundcube/roundcubemail/releases/tag/1.3.3 (cve@mitre.org) [Issue Tracking, Release Notes, Third Party Advisory]
- https://lists.debian.org/debian-lts-announce/2017/11/msg00039.html (cve@mitre.org) [Mailing List, Third Party Advisory]
- https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10 (cve@mitre.org) [Issue Tracking, Vendor Advisory]
- https://www.debian.org/security/2017/dsa-4030 (cve@mitre.org) [Issue Tracking, Third Party Advisory]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-16651 (134c704f-9b21-4f2e-91b3-4a467353bcc0) [US Government Resource]