CVE-2017-8114
Summary
| CVE | CVE-2017-8114 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-04-29 19:59:00 UTC |
| Updated | 2022-09-27 18:16:00 UTC |
| Description | Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin. |
Risk And Classification
Problem Types: CWE-269
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Roundcube | Roundcube Webmail | 1.0.10 | All | All | All |
| Application | Roundcube | Roundcube Webmail | 1.1.1 | All | All | All |
| Application | Roundcube | Roundcube Webmail | 1.1.2 | All | All | All |
| Application | Roundcube | Roundcube Webmail | 1.1.3 | All | All | All |
| Application | Roundcube | Roundcube Webmail | 1.1.5 | All | All | All |
| Application | Roundcube | Roundcube Webmail | 1.1.6 | All | All | All |
| Application | Roundcube | Roundcube Webmail | 1.1.8 | All | All | All |
| Application | Roundcube | Roundcube Webmail | 1.2 | beta | All | All |
| Application | Roundcube | Roundcube Webmail | 1.2 | rc | All | All |
| Application | Roundcube | Roundcube Webmail | 1.2.4 | All | All | All |
| Application | Roundcube | Roundcube Webmail | 1.0.10 | All | All | All |
| Application | Roundcube | Roundcube Webmail | 1.1.1 | All | All | All |
| Application | Roundcube | Roundcube Webmail | 1.1.2 | All | All | All |
| Application | Roundcube | Roundcube Webmail | 1.1.3 | All | All | All |
| Application | Roundcube | Roundcube Webmail | 1.1.5 | All | All | All |
| Application | Roundcube | Roundcube Webmail | 1.1.6 | All | All | All |
| Application | Roundcube | Roundcube Webmail | 1.1.8 | All | All | All |
| Application | Roundcube | Roundcube Webmail | 1.2 | beta | All | All |
| Application | Roundcube | Roundcube Webmail | 1.2 | rc | All | All |
| Application | Roundcube | Roundcube Webmail | 1.2.4 | All | All | All |
| Application | Roundcube | Webmail | All | All | All | All |
| Application | Roundcube | Webmail | 1.1 | All | All | All |
| Application | Roundcube | Webmail | 1.1 | beta | All | All |
| Application | Roundcube | Webmail | 1.1 | rc | All | All |
| Application | Roundcube | Webmail | 1.1.4 | All | All | All |
| Application | Roundcube | Webmail | 1.1.7 | All | All | All |
| Application | Roundcube | Webmail | 1.2.0 | All | All | All |
| Application | Roundcube | Webmail | 1.2.1 | All | All | All |
| Application | Roundcube | Webmail | 1.2.2 | All | All | All |
| Application | Roundcube | Webmail | 1.2.3 | All | All | All |
| Application | Roundcube | Webmail | 1.1 | All | All | All |
| Application | Roundcube | Webmail | 1.1 | beta | All | All |
| Application | Roundcube | Webmail | 1.1 | rc | All | All |
| Application | Roundcube | Webmail | 1.1.4 | All | All | All |
| Application | Roundcube | Webmail | 1.1.7 | All | All | All |
| Application | Roundcube | Webmail | 1.2.0 | All | All | All |
| Application | Roundcube | Webmail | 1.2.1 | All | All | All |
| Application | Roundcube | Webmail | 1.2.2 | All | All | All |
| Application | Roundcube | Webmail | 1.2.3 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| rd/security-advisories/web/roundcube/cve-2017-8114 at master · ilsani/rd · GitHub | MISC | github.com | Exploit, Third Party Advisory |
| Security updates 1.2.5, 1.1.9 and 1.0.11 released | MISC | roundcube.net | Release Notes, Vendor Advisory |
| RoundCube Webmail CVE-2017-8114 Multiple Privilege Escalation Vulnerabilities | BID | www.securityfocus.com | |
| RoundCube: Security bypass (GLSA 201707-11) — Gentoo security | GENTOO | security.gentoo.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 710411 Gentoo Linux RoundCube Security bypass Vulnerability (GLSA 201707-11)