CVE-2017-8114
roundcube - security update
8.8
HIGH
CVSS 3.1
EPSS 1.5%
Description
Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.
How to fix CVE-2017-8114
To remediate CVE-2017-8114, upgrade the affected package to a fixed version below.
- Alpine/roundcubemail—upgrade to 1.1.9-r0 or later
- —upgrade to 1.2.3+dfsg.1-4 or later
- —upgrade to 0.7.2-9+deb7u7 or later
Is CVE-2017-8114 being exploited?
Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.1.9-r0
- from 0, < 1.2.3+dfsg.1-4
- from 0, < 0.7.2-9+deb7u7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |