1448400 – (CVE-2017-8114) CVE-2017-8114 roundecubemail: arbitrary password resets by authenticated users

Bug 1448400 (CVE-2017-8114) - CVE-2017-8114 roundecubemail: arbitrary password resets by authenticated users

Summary: CVE-2017-8114 roundecubemail: arbitrary password resets by authenticated users

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2017-8114
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1448401
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-05 11:18 UTC by Andrej Nemec
Modified:	2021-02-17 02:11 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-12-26 18:51:48 UTC

Attachments	(Terms of Use)

Description Andrej Nemec 2017-05-05 11:18:01 UTC

Roundcube Webmail allows arbitrary password resets by authenticated
users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and
1.2.x before 1.2.5. The problem is caused by an improperly restricted
exec call in the virtualmin and sasl drivers of the password plugin.

External References:

https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11

Comment 1 Andrej Nemec 2017-05-05 11:18:35 UTC

Created roundcubemail tracking bugs for this issue:

Affects: epel-6 [bug 1448401]

Comment 2 Kevin Fenzi 2020-12-26 18:51:48 UTC

This was fixed 3 years ago. Closing.

Note You need to log in before you can comment on or make changes to this bug.