CVE-2017-16651
Published: 09 November 2017
Summary
CVE-2017-16651 is a high-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Roundcube Webmail. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
Roundcube Webmail versions before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 are affected by a file disclosure vulnerability that permits unauthorized access to arbitrary files on the host filesystem, including configuration files. The flaw is tied to file-based attachment plugins and the handling of specific requests containing the parameters _task=settings&_action=upload-display&_from=timezone, and it is tracked under CWE-552 with a CVSS 3.1 score of 7.8.
An authenticated attacker who possesses valid credentials and maintains an active session can exploit the issue to read sensitive files on the underlying system. The vulnerability was observed being exploited in the wild during November 2017.
Official patches addressing the flaw are provided in the Roundcube releases 1.1.10, 1.2.7, and 1.3.3, which are referenced in the project's GitHub advisories and issue tracker. Security practitioners should apply these updates promptly on all affected installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-7838
Vulnerability details
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at…
more
the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access restrictions so an authenticated session cannot read arbitrary host files via the vulnerable upload-display handler.
Requires prompt application of the vendor patches in 1.1.10/1.2.7/1.3.3 that close the file-disclosure flaw.
Validates _task, _action and _from parameters to block crafted requests that trigger unauthorized filesystem reads.