Candidate: CVE-2017-8114 PublicDate: 2017-04-29 19:59:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8114 https://github.com/roundcube/roundcubemail/releases/tag/1.2.5 https://github.com/roundcube/roundcubemail/commit/6e054a37d13dc3772d0aa454a32d5dc3bdcc7003 (1.2.x) https://github.com/roundcube/roundcubemail/releases/tag/1.1.9 https://github.com/roundcube/roundcubemail/commit/10b227d70a03e33682aaaa0138e84f9256f3cd50 (1.1.x) https://github.com/roundcube/roundcubemail/releases/tag/1.0.11 https://github.com/roundcube/roundcubemail/commit/271426429bfbb5b63e6dec91b1e4780e8ef1c67e (1.0.x) Description: Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin. Ubuntu-Description: Notes: Bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861388 Priority: medium Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8 HIGH] Patches_roundcube: upstream_roundcube: released (1.2.3+dfsg.1-4) precise_roundcube: ignored (reached end-of-life) precise/esm_roundcube: DNE (precise was needed) trusty_roundcube: ignored (reached end-of-life) trusty/esm_roundcube: DNE (trusty was needed) vivid/stable-phone-overlay_roundcube: DNE vivid/ubuntu-core_roundcube: DNE xenial_roundcube: ignored (end of standard support, was needed) yakkety_roundcube: ignored (reached end-of-life) zesty_roundcube: ignored (reached end-of-life) artful_roundcube: ignored (reached end-of-life) bionic_roundcube: not-affected (1.3.6+dfsg.1-1) cosmic_roundcube: not-affected (1.3.6+dfsg.1-1) disco_roundcube: not-affected (1.3.6+dfsg.1-1) eoan_roundcube: not-affected (1.3.6+dfsg.1-1) focal_roundcube: not-affected (1.3.6+dfsg.1-1) groovy_roundcube: not-affected (1.3.6+dfsg.1-1) hirsute_roundcube: not-affected (1.3.6+dfsg.1-1) impish_roundcube: not-affected (1.3.6+dfsg.1-1) jammy_roundcube: not-affected (1.3.6+dfsg.1-1) devel_roundcube: not-affected (1.3.6+dfsg.1-1)