CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
71.5%
Roundcube Webmail 1.2.5
This is a security update to the stable version 1.2. It primarily fixes a recently discovered vulnerability in the virtualmin and sasl drivers of the password plugin plus adds a few cherry-picked bug fixes from upstream versions. A detailed list of changes is shown below.
It’s considered stable and we recommend to update all productive installations of Roundcube with this version. Please do backup your data before updating!
CHANGELOG
Password: Fix security issue in virtualmin and sasl drivers [CVE-2017-8114]
Fix re-positioning of the fixed header of messages list in Chrome when using minimal mode toggle and About dialog (#5711)
Fix so settings/upload.inc could not be used by plugins (#5694)
Fix regression in LDAP fuzzy search where it always used prefix search instead (#5713)
Fix bug where namespace prefix could not be truncated on folders list if show_real_foldernames=true (#5695)
Fix bug where base_dn setting was ignored inside group_filters (#5720)
Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory FEDORA-2017-ede53aa845.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(100034);
script_version("3.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id("CVE-2017-8114");
script_xref(name:"FEDORA", value:"2017-ede53aa845");
script_name(english:"Fedora 25 : roundcubemail (2017-ede53aa845)");
script_summary(english:"Checks rpm output for the updated package.");
script_set_attribute(
attribute:"synopsis",
value:"The remote Fedora host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"**Roundcube Webmail 1.2.5**
This is a security update to the stable version 1.2. It primarily
fixes a recently discovered vulnerability in the virtualmin and sasl
drivers of the password plugin plus adds a few cherry-picked bug fixes
from upstream versions. A detailed list of changes is shown below.
It's considered stable and we recommend to update all productive
installations of Roundcube with this version. Please do backup your
data before updating!
CHANGELOG
- Password: Fix security issue in virtualmin and sasl
drivers [CVE-2017-8114]
- Fix re-positioning of the fixed header of messages list
in Chrome when using minimal mode toggle and About
dialog (#5711)
- Fix so settings/upload.inc could not be used by plugins
(#5694)
- Fix regression in LDAP fuzzy search where it always used
prefix search instead (#5713)
- Fix bug where namespace prefix could not be truncated on
folders list if show_real_foldernames=true (#5695)
- Fix bug where base_dn setting was ignored inside
group_filters (#5720)
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
);
script_set_attribute(
attribute:"see_also",
value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-ede53aa845"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected roundcubemail package."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:roundcubemail");
script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/29");
script_set_attribute(attribute:"patch_publication_date", value:"2017/05/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/09");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Fedora Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
flag = 0;
if (rpm_check(release:"FC25", reference:"roundcubemail-1.2.5-1.fc25")) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "roundcubemail");
}
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
71.5%