Cyber Resilience

CVE-2017-16651

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 09 November 2017

Published
09 November 2017
Modified
21 April 2026
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3594 97.2th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-16651 is a high-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Roundcube Webmail. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

Roundcube Webmail versions before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 are affected by a file disclosure vulnerability that permits unauthorized access to arbitrary files on the host filesystem, including configuration files. The flaw is tied to file-based attachment plugins and the handling of specific requests containing the parameters _task=settings&_action=upload-display&_from=timezone, and it is tracked under CWE-552 with a CVSS 3.1 score of 7.8.

An authenticated attacker who possesses valid credentials and maintains an active session can exploit the issue to read sensitive files on the underlying system. The vulnerability was observed being exploited in the wild during November 2017.

Official patches addressing the flaw are provided in the Roundcube releases 1.1.10, 1.2.7, and 1.3.3, which are referenced in the project's GitHub advisories and issue tracker. Security practitioners should apply these updates promptly on all affected installations.

EU & UK References

Vulnerability details

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at…

more

the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

roundcube
webmail
1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4 · ≤ 1.1.9
debian
debian linux
7.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access restrictions so an authenticated session cannot read arbitrary host files via the vulnerable upload-display handler.

prevent

Requires prompt application of the vendor patches in 1.1.10/1.2.7/1.3.3 that close the file-disclosure flaw.

prevent

Validates _task, _action and _from parameters to block crafted requests that trigger unauthorized filesystem reads.

References