9.8

CVE-2020-12641

Warnung
Exploit
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RoundcubeWebmail Version >= 1.2.0 < 1.2.10
RoundcubeWebmail Version >= 1.3.0 < 1.3.11
RoundcubeWebmail Version >= 1.4.0 < 1.4.4
OpensuseBackports Sle Version15.0 Updatesp1
OpensuseBackports Sle Version15.0 Updatesp2
OpensuseLeap Version15.1
OpensuseLeap Version15.2

22.06.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Roundcube Webmail Remote Code Execution Vulnerability

Schwachstelle

Roundcube Webmail contains an remote code execution vulnerability that allows attackers to execute code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 84.46% 0.997
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html
Third Party Advisory
Mailing List
https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4
Release Notes
https://github.com/roundcube/roundcubemail/releases/tag/1.4.4
Release Notes
https://security.gentoo.org/glsa/202007-41
Third Party Advisory
https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10
Vendor Advisory
Release Notes
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12641-Command%20Injection-Roundcube
Third Party Advisory
Exploit
https://github.com/roundcube/roundcubemail/commit/fcfb099477f353373c34c8a65c9035b06b364db3
Patch
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-12641
US Government Resource