← back
CVE-2017-16651

CVE-2017-16651

CVSS 7.8 HIGHEPSS 42.8%● KEVCWE-552
In short

Roundcube Webmail has a flaw that lets authenticated users access files they shouldn't be able to read on the server, including sensitive configuration files. An attacker needs valid login credentials to exploit this vulnerability.

Technical detail

CWE-552 path traversal vulnerability in Roundcube's file-based attachment plugins and timezone upload handler allows authenticated attackers to read arbitrary files via crafted requests to _task=settings&_action=upload-display&_from=timezone. Exploitation requires valid authentication credentials and an active session; impact includes unauthorized disclosure of sensitive configuration data and system files.

Summary generated and translated by AI from the official description.
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found2
githubgithub.com/ropbear/CVE-2017-166513cve_referencepacketstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.htmlhttps://github.com/roundcube/roundcubemail/issues/6026https://github.com/roundcube/roundcubemail/releases/tag/1.1.10https://github.com/roundcube/roundcubemail/releases/tag/1.2.7https://github.com/roundcube/roundcubemail/releases/tag/1.3.3https://lists.debian.org/debian-lts-announce/2017/11/msg00039.htmlhttps://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-16651https://www.debian.org/security/2017/dsa-4030http://www.securityfocus.com/bid/101793