#VU12078 Command injection in Roundcube - CVE-2018-9846


| Updated: 2018-04-22

Vulnerability identifier: #VU12078

Vulnerability risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:U/U:Green]

CVE-ID: CVE-2018-9846

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Roundcube
Web applications / Webmail solutions

Vendor: Roundcube

Description
The vulnerability allows a remote attacker to execute arbitrary IMAP command.

The vulnerability exists in Roundcube when processing user-supplied data passed via the "_uid" HTTP GET parameter to archive.php script. A remote authenticated attacker can execute arbitrary IMAP command after "%0d%0a" characters.

Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access to email messages of other users.

Mitigation
Update to version 1.1.11, 1.2.8 or 1.3.6.

Vulnerable software versions

Roundcube: 1.1.0 - 1.1.10, 1.2.0 - 1.2.7, 1.3.0 - 1.3.5

External links
https://roundcube.net/news/2018/04/11/security-update-1.3.6
https://roundcube.net/news/2018/04/17/security-updates-1.2.8-1.1.11

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Fedora EPEL 7 update for roundcubemail
Debian update for roundcube
IMAP command injection in Roundcube
Fedora EPEL 7 update for roundcubemail
Arch Linux update for roundcubemail
Command injection in roundcubemail (Alpine package)
Fedora 28 update for roundcubemail
Fedora 27 update for roundcubemail
Fedora 26 update for roundcubemail