Candidate: CVE-2020-12640
PublicDate: 2020-05-04 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12640
 https://github.com/roundcube/roundcubemail/commit/814eadb699e8576ce3a78f21e95bf69a7c7b3794
 https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10
 https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4
 https://github.com/roundcube/roundcubemail/releases/tag/1.4.4
Description:
 Roundcube Webmail before 1.4.4 allows attackers to include local files and
 execute code via directory traversal in a plugin name to
 rcube_plugin_api.php.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_roundcube:
upstream_roundcube: released (1.4.4+dfsg.1-1)
precise/esm_roundcube: DNE
trusty_roundcube: ignored (out of standard support)
trusty/esm_roundcube: DNE
xenial_roundcube: ignored (end of standard support, was needed)
bionic_roundcube: needed
eoan_roundcube: ignored (reached end-of-life)
focal_roundcube: needed
groovy_roundcube: not-affected (1.4.4+dfsg.1-1)
hirsute_roundcube: not-affected (1.4.4+dfsg.1-1)
impish_roundcube: not-affected (1.4.4+dfsg.1-1)
jammy_roundcube: not-affected (1.4.4+dfsg.1-1)
devel_roundcube: not-affected (1.4.4+dfsg.1-1)