CVE-2015-2180
published 2017-01-30CVE-2015-2180: The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the…
PriorityP261high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
4.71%
90.7th percentile
The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 1.1.1+dfsg.1-2 (bookworm) | roundcube 1.1.1+dfsg.1-2 (bookworm) |
| roundcube | webmail | <= 1.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for shell metacharacters in password change requests targeting the Roundcube Password plugin's DBMail driver, which can lead to arbitrary OS command execution with root privileges. ↗
- →Alert on Roundcube Password plugin DBMail driver usage where the new password field contains shell metacharacters (e.g., ;, |, &, $, `, etc.). ↗
- →Flag Roundcube instances running versions before 1.1.0 (or Debian package before 1.1.1+dfsg.1-2) with the Password plugin and DBMail driver enabled as vulnerable. ↗
- ·The Password plugin (and its DBMail driver) is disabled by default in Roundcube; exploitation requires the plugin to be explicitly enabled by an administrator. ↗
- ·Exploitation also requires the attacker to be an authenticated Roundcube user, limiting exposure to credentialed attackers. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hp2w-q4f4-jq5w: The DBMail driver in the Password plugin in Roundcube before 1
ghsa_unreviewed·2022-05-14
CVE-2015-2180 [HIGH] CWE-74 GHSA-hp2w-q4f4-jq5w: The DBMail driver in the Password plugin in Roundcube before 1
The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password.
OSV
CVE-2015-2180: The DBMail driver in the Password plugin in Roundcube before 1
osv·2017-01-30·CVSS 8.8
CVE-2015-2180 [HIGH] CVE-2015-2180: The DBMail driver in the Password plugin in Roundcube before 1
The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password.
Debian
CVE-2015-2180: roundcube - The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote...
vendor_debian·2015·CVSS 8.8
CVE-2015-2180 [HIGH] CVE-2015-2180: roundcube - The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote...
The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password.
Scope: local
bookworm: resolved (fixed in 1.1.1+dfsg.1-2)
bullseye: resolved (fixed in 1.1.1+dfsg.1-2)
forky: resolved (fixed in 1.1.1+dfsg.1-2)
sid: resolved (fixed in 1.1.1+dfsg.1-2)
trixie: resolved (fixed in 1.1.1+dfsg.1-2)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-2180 roundcubemail: New password not sanitized against injecting shell meta characters in DBMail driver [epel-6]
bugzilla·2017-01-31·CVSS 8.8
CVE-2015-2180 [HIGH] CVE-2015-2180 roundcubemail: New password not sanitized against injecting shell meta characters in DBMail driver [epel-6]
CVE-2015-2180 roundcubemail: New password not sanitized against injecting shell meta characters in DBMail driver [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Bugzilla
CVE-2015-2180 roundcubemail: New password not sanitized against injecting shell meta characters in DBMail driver [epel-5]
bugzilla·2017-01-31·CVSS 8.8
CVE-2015-2180 [HIGH] CVE-2015-2180 roundcubemail: New password not sanitized against injecting shell meta characters in DBMail driver [epel-5]
CVE-2015-2180 roundcubemail: New password not sanitized against injecting shell meta characters in DBMail driver [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-5.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Bugzilla
CVE-2015-2180 roundcubemail: New password not sanitized against injecting shell meta characters in DBMail driver
bugzilla·2017-01-31·CVSS 8.8
CVE-2015-2180 [HIGH] CVE-2015-2180 roundcubemail: New password not sanitized against injecting shell meta characters in DBMail driver
CVE-2015-2180 roundcubemail: New password not sanitized against injecting shell meta characters in DBMail driver
Roundcube is shipped with the Password plugin. It is, as any other plugin, disabled by default. Once enabled, it allows an authenticated user to change his current password in the web interface. For this purpose, the plugin offers several drivers that can be used to perform the actual password change in the back end.
The DBMail driver suffers from a critical Remote Command Execution vulnerability that enables an attacker to execute arbitrary system commands with root privileges.
Upstream bug:
https://github.com/roundcube/roundcubemail/issues/4757
Upstream patch:
https://github.com/roundcube/roundcubemail/commit/7c96646de0efda16cded8491138bfefe31aca940
Discussion:
Created
2017-01-30
Published