Bug 1448400 (CVE-2017-8114)

Summary: CVE-2017-8114 roundecubemail: arbitrary password resets by authenticated users
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, gwync, kevin, mhlavink, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-26 18:51:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1448401    
Bug Blocks:    

Description Andrej Nemec 2017-05-05 11:18:01 UTC 
Roundcube Webmail allows arbitrary password resets by authenticated
users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and
1.2.x before 1.2.5. The problem is caused by an improperly restricted
exec call in the virtualmin and sasl drivers of the password plugin.

External References:

https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11
Comment 1 Andrej Nemec 2017-05-05 11:18:35 UTC 
Created roundcubemail tracking bugs for this issue:

Affects: epel-6 [bug 1448401]
Comment 2 Kevin Fenzi 2020-12-26 18:51:48 UTC 
This was fixed 3 years ago. Closing.