CVE-2020-12641
Published: 04 May 2020
Summary
CVE-2020-12641 is a critical-severity OS Command Injection (CWE-78) vulnerability in Roundcube Webmail. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2020-12641 is a command injection vulnerability (CWE-78) in rcube_image.php within Roundcube Webmail versions prior to 1.4.4. It arises when user-supplied values containing shell metacharacters are passed to the ImageMagick utilities configured via the im_convert_path or im_identify_path settings, enabling arbitrary operating system command execution.
Unauthenticated remote attackers can exploit the flaw over the network by manipulating these configuration parameters. Successful exploitation grants full control over the affected webmail instance, including the ability to read, modify, or delete data and execute code with the privileges of the web server process.
The referenced Roundcube 1.4.4 release and associated commit address the issue by sanitizing the path configuration values before they are used in shell commands. OpenSUSE and other distribution advisories recommend upgrading to the patched version as the primary mitigation.
A public proof-of-concept demonstrating the injection vector is available in the referenced GitHub disclosure repository.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-4942
Vulnerability details
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
- CWE(s)
- KEV Date Added
- 22 June 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of configuration inputs (im_convert_path, im_identify_path) to block shell metacharacters before they reach external commands.
Mandates timely application of the vendor patch (1.4.4+) that sanitizes the path values and eliminates the command-injection flaw.
Enforces least functionality by disabling or restricting unnecessary ImageMagick integration and external command execution paths that enable the injection.