cbcvebase.
CVE-2016-9920
published 2016-12-08

CVE-2016-9920: steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not…

PriorityP350high7.5CVSS 3.0
AVNACHPRLUINSUCHIHAH
EPSS
5.62%
92.0th percentile
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianroundcube< roundcube 1.2.3+dfsg.1-1 (bookworm)roundcube 1.2.3+dfsg.1-1 (bookworm)
roundcuberoundcube_webmail>= 0 < 1.2~beta+dfsg.1-0ubuntu1+esm71.2~beta+dfsg.1-0ubuntu1+esm7
roundcuberoundcube_webmail>= 0 < 1.3.6+dfsg.1-1ubuntu0.1~esm71.3.6+dfsg.1-1ubuntu0.1~esm7
roundcubewebmail<= 1.1.6
roundcubewebmail
roundcubewebmail
roundcubewebmail

Detection & IOCsextracted from sources · hover to see the quote

pathsteps/mail/sendmail.inc
  • Monitor for Roundcube sendmail invocations that include attacker-controlled envelope-from (-f) arguments on the sendmail command line, which can be abused for arbitrary code execution by authenticated users.
  • Exploitation requires no SMTP server to be configured and the sendmail program to be enabled in Roundcube — alert on process spawns of sendmail from a Roundcube web process (e.g., php-fpm/apache) with unexpected -f flag values.
  • Review upstream patches at the referenced GitHub commits for exact code-level diff to build precise file-integrity or YARA rules against vulnerable versions of steps/mail/sendmail.inc.
  • ·Vulnerability is only exploitable when Roundcube is configured to use the local sendmail binary (no SMTP server configured). Instances using an SMTP server are not affected.
  • ·Exploitation requires the attacker to be a remote authenticated user — unauthenticated exploitation is not possible.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.