Candidate: CVE-2018-1000071
PublicDate: 2018-03-13 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000071
 https://github.com/roundcube/roundcubemail/issues/6173
 https://www.legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt
Description:
 roundcube version 1.3.4 and earlier contains an Insecure Permissions
 vulnerability in enigma plugin that can result in exfiltration of gpg
 private key. This attack appear to be exploitable via network connectivity.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]


Patches_roundcube:
 upstream: https://github.com/roundcube/roundcubemail/commit/48417c5fc9f6eb4b90500c09596606d489c700b5
upstream_roundcube: released (1.4)
precise/esm_roundcube: DNE
trusty_roundcube: ignored (reached end-of-life)
trusty/esm_roundcube: DNE (trusty was not-affected)
xenial_roundcube: ignored (end of standard support, was needed)
artful_roundcube: ignored (reached end-of-life)
bionic_roundcube: needed
cosmic_roundcube: ignored (reached end-of-life)
disco_roundcube: ignored (reached end-of-life)
eoan_roundcube: ignored (reached end-of-life)
focal_roundcube: not-affected (1.4.3+dfsg.1-1)
groovy_roundcube: not-affected (1.4.3+dfsg.1-1)
hirsute_roundcube: not-affected (1.4.3+dfsg.1-1)
impish_roundcube: not-affected (1.4.11+dfsg.1-4)
jammy_roundcube: not-affected (1.5.0+dfsg.1-2)
devel_roundcube: not-affected (1.5.0+dfsg.1-2)