Bug 1448400 (CVE-2017-8114)

Summary: CVE-2017-8114 roundecubemail: arbitrary password resets by authenticated users
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, gwync, kevin, mhlavink, pokorra.mailinglists, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20170428,reported=20170428,source=cve,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N,fedora-all/roundcubemail=notaffected,epel-7/roundcubemail=notaffected,epel-6/roundcubemail=affected
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1448401    
Bug Blocks:    

Description Andrej Nemec 2017-05-05 11:18:01 UTC
Roundcube Webmail allows arbitrary password resets by authenticated
users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and
1.2.x before 1.2.5. The problem is caused by an improperly restricted
exec call in the virtualmin and sasl drivers of the password plugin.

External References:

https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11

Comment 1 Andrej Nemec 2017-05-05 11:18:35 UTC
Created roundcubemail tracking bugs for this issue:

Affects: epel-6 [bug 1448401]