CVE-2021-44026
Published: 19 November 2021
Summary
CVE-2021-44026 is a critical-severity SQL Injection (CWE-89) vulnerability in Debian Debian Linux. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Roundcube webmail versions before 1.3.17 and 1.4.x before 1.4.12 are affected by a potential SQL injection vulnerability (CWE-89) in the handling of search or search_params inputs. The issue carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.
An unauthenticated remote attacker can supply crafted search parameters to inject arbitrary SQL statements, resulting in full read, write, or delete access to the underlying database and potential compromise of stored email data or user credentials.
Public references, including Debian LTS announcements, Fedora package updates, and upstream Roundcube commits, direct administrators to apply the available patches that correct input sanitization in the affected search code paths. No details on observed in-the-wild exploitation are provided in the source material.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-30885
Vulnerability details
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
- CWE(s)
- KEV Date Added
- 22 June 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted search/search_params inputs that are the root cause of the SQL injection in Roundcube.
Mandates timely application of the vendor patches that correct the missing input sanitization in the affected search code paths.
Limits the database privileges granted to the Roundcube application account so that a successful SQL injection yields minimal read/write impact on email data.