rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. Reference: https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10 Upstream commit: https://github.com/roundcube/roundcubemail/commit/fcfb099477f353373c34c8a65c9035b06b364db3
Created roundcubemail tracking bugs for this issue: Affects: epel-all [bug 1833481] Affects: fedora-all [bug 1833482]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.