Vulnerability in N/a
CVE-2017-16651
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must…
EPSS: 0.359 (97.2th percentile) — read the EPSS interpretation.
Affected products
- N/a — versions n/a
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: Apply updates per vendor instructions.
Public proof-of-concept exploits
References
- github.com/roundcube/roundcubemail/releases/tag/1.3.3 (x_refsource_CONFIRM)
- roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10 (x_refsource_CONFIRM)
- [debian-lts-announce] 20171128 [SECURITY] [DLA 1193-1] roundcube security update (mailing-list, x_refsource_MLIST)
- github.com/roundcube/roundcubemail/releases/tag/1.1.10 (x_refsource_CONFIRM)
- 101793 (vdb-entry, x_refsource_BID)
- github.com/roundcube/roundcubemail/releases/tag/1.2.7 (x_refsource_CONFIRM)
- DSA-4030 (vendor-advisory, x_refsource_DEBIAN)
- github.com/roundcube/roundcubemail/issues/6026 (x_refsource_CONFIRM)
- packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html (x_refsource_MISC)
Frequently asked questions
- What is CVE-2017-16651?
- CVE-2017-16651 is a vulnerability in N/a. Published 2017-11-09.
- Is CVE-2017-16651 known to be exploited?
- Yes. CVE-2017-16651 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), indicating it is being actively exploited. 6 public proof-of-concept repositories are indexed.