SB2017042841 - Security restrictions bypass in roundcubemail (Alpine package)
Published: April 28, 2017
Security Bulletin ID
SB2017042841
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Security restrictions bypass (CVE-ID: CVE-2017-8114)
The vulnerability allows a remote authenticated attacker to bypass security restrictions.The weakness exists due to improper restriction of exec call in the virtualmin and sasl drivers of the password plugin. A remote attcker can arbitrarily reset passwords, bypass security restrictions and gain elevated privileges on the system.
Successful exploitation of the vulnerability results in privilege escalation.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=30717c64a46cb821a2188235da2f567b2a9711e9
- https://git.alpinelinux.org/aports/commit/?id=59fc0fee613036d25668302ec9e4a9316ffbc689
- https://git.alpinelinux.org/aports/commit/?id=1a9cc81e9c0c47e5dd3d735dead6c6184f86ab3b
- https://git.alpinelinux.org/aports/commit/?id=de51ff3dc809fd14f9e6d0780c79ab0ebd1f95d0
- https://git.alpinelinux.org/aports/commit/?id=eb06a024e1fd450d0e1cf820e7a6f1940c7aff77