Candidate: CVE-2021-44026
PublicDate: 2021-11-19 04:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44026
 https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1 (1.4.12)
 https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa (1.3.17)
 https://bugs.debian.org/1000156
 https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa
 https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1
Description:
 Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL
 injection via search or search_params.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000156
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_roundcube:
 upstream: https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1 (1.4.12)
 upstream: https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa (1.3.17)
upstream_roundcube: released (1.3.17, 1.4.12)
trusty_roundcube: ignored (out of standard support)
trusty/esm_roundcube: DNE (trusty was needed)
xenial_roundcube: ignored (out of standard support, was needed)
bionic_roundcube: needed
focal_roundcube: needed
hirsute_roundcube: ignored (reached end-of-life)
impish_roundcube: needed
jammy_roundcube: not-affected (1.5.0+dfsg.1-2)
devel_roundcube: not-affected (1.5.0+dfsg.1-2)