CVE-2017-16651
published 2017-11-09CVE-2017-16651: Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including…
PriorityP186high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
42.83%
98.5th percentile
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | roundcube | < roundcube 1.3.3+dfsg.1-1 (bookworm) | roundcube 1.3.3+dfsg.1-1 (bookworm) |
| roundcube | webmail | <= 1.1.9 | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to the login endpoint containing the parameter '_timezone[files][1][path]', which is used to inject an arbitrary file path during authentication. ↗
- →Detect authenticated GET requests combining all three parameters: _task=settings, _action=upload-display, and _from=timezone — this is the file retrieval step of the exploit. ↗
- →The attack requires a valid authenticated session; look for the two-stage pattern: a login POST with _timezone[files][1][path] followed by a GET with _task=settings&_action=upload-display&_from=timezone from the same session. ↗
- →Flag requests where _from=timezone is combined with upload-display action, as this triggers file-based attachment plugins to serve the injected file path. ↗
- ·The vulnerability is only exploitable when file-based attachment plugins are enabled; these are used by default, meaning most default installations are vulnerable. ↗
- ·Affected versions span 1.1.0–1.1.9, 1.2.0–1.2.6, and 1.3.0–1.3.2; detections should be scoped to these version ranges and retired once patched to 1.1.10, 1.2.7, or 1.3.3 respectively. ↗
- ·This vulnerability was exploited in the wild in November 2017 and is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active threat actor use. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv7.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_debian7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Roundcube vulnerability
vendor_ubuntu·2025-01-13
CVE-2017-16651 Roundcube vulnerability
Title: Roundcube vulnerability
Summary: Roundcube could be made to expose sensitive information.
It was discovered that Roundcube incorrectly handled certain file-based
attachment plugins. An attacker could exploit this to gain unauthorized
access to arbitrary files on the host’s file system.
Instructions: In general, a standard system update will make all the necessary changes.
CISA
Roundcube Webmail File Disclosure Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2017-16651 [HIGH] CWE-552 Roundcube Webmail File Disclosure Vulnerability
Vulnerability: Roundcube Webmail File Disclosure Vulnerability
Affected: Roundcube Roundcube Webmail
Roundcube Webmail contains a file disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-16651
Remediation Due Date: 2022-05-03
Debian
CVE-2017-16651: roundcube - Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allo...
vendor_debian·2017·CVSS 7.8
CVE-2017-16651 [HIGH] CVE-2017-16651: roundcube - Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allo...
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
Scope: local
bookworm: resolved (fixed in 1.3.3+dfsg.1-1)
bullseye: resolved (fixed in 1.3.3+dfsg.1-1)
forky: resolved (fixed in 1.3.3+dfsg.1-1)
sid: resolved (fixed in 1.3.3+dfsg.1-1)
trixie: resolved (fixed in 1.3.3+dfsg.1-1)
GHSA
GHSA-6r67-r3jm-88p4: Roundcube Webmail before 1
ghsa_unreviewed·2022-05-13
CVE-2017-16651 [HIGH] CWE-552 GHSA-6r67-r3jm-88p4: Roundcube Webmail before 1
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
OSV
CVE-2017-16651: Roundcube Webmail before 1
osv·2017-11-09·CVSS 7.8
CVE-2017-16651 [HIGH] CVE-2017-16651: Roundcube Webmail before 1
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
VulnCheck
Roundcube Webmail File Disclosure Vulnerability
vulncheck·2017·CVSS 7.8
CVE-2017-16651 [HIGH] CWE-552 Roundcube Webmail File Disclosure Vulnerability
Roundcube Webmail File Disclosure Vulnerability
Roundcube Webmail contains a file disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default.
Affected: Roundcube Roundcube Webmail
Required Action: Apply updates per vendor instructions.
Exploitation References: https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10; https://www.cve.org/CVERecord?id=CVE-2017-16651; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/c1ac9329385f
Remediation Due: 2022-05-03
No detection rules found.
Exploit-DB
Roundcube Webmail 1.2 - File Disclosure
exploitdb·2021-02-01·CVSS 7.8
CVE-2017-16651 [HIGH] Roundcube Webmail 1.2 - File Disclosure
Roundcube Webmail 1.2 - File Disclosure
---
# Exploit Title: Roundcube Webmail 1.2 - File Disclosure
# Date: 09-11-2017
# Exploit Author: stonepresto
# Vendor Homepage: https://roundcube.net/
# Software Link: https://sourceforge.net/projects/roundcubemail/files/roundcubemail-beta/1.2-beta/
# Version: 1.1.0 - 1.1.9, 1.2.0 - 1.2.6, 1.3.0 - 1.3.2
# Tested on: roundcube version 1.2-beta
# CVE : CVE-2017-16651
#!/usr/bin/env python3
# Reference: https://gist.github.com/thomascube/3ace32074e23fca0e6510e500bd914a1
# https://github.com/stonepresto/CVE-2017-16651
# Exploit Author: stonepresto
import requests
import re
import sys
URL="https://127.0.0.1/"
USER="[email protected]"
PASS="password"
def main():
s = requests.Session()
r = s.get(URL,params={"_task":"login"},verify=False)
token = None
Metasploit
Roundcube TimeZone Authenticated File Disclosure
metasploit
Roundcube TimeZone Authenticated File Disclosure
Roundcube TimeZone Authenticated File Disclosure
Roundcube Webmail allows unauthorized access to arbitrary files on the host's filesystem, including configuration files. This affects all versions from 1.1.0 through version 1.3.2. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. Tested against version 1.3.2
http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.htmlhttp://www.securityfocus.com/bid/101793https://github.com/roundcube/roundcubemail/issues/6026https://github.com/roundcube/roundcubemail/releases/tag/1.1.10https://github.com/roundcube/roundcubemail/releases/tag/1.2.7https://github.com/roundcube/roundcubemail/releases/tag/1.3.3https://lists.debian.org/debian-lts-announce/2017/11/msg00039.htmlhttps://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10https://www.debian.org/security/2017/dsa-4030http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.htmlhttp://www.securityfocus.com/bid/101793https://github.com/roundcube/roundcubemail/issues/6026https://github.com/roundcube/roundcubemail/releases/tag/1.1.10https://github.com/roundcube/roundcubemail/releases/tag/1.2.7https://github.com/roundcube/roundcubemail/releases/tag/1.3.3https://lists.debian.org/debian-lts-announce/2017/11/msg00039.htmlhttps://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10https://www.debian.org/security/2017/dsa-4030https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-16651
2017-11-09
Published
2021-11-03
Added to CISA KEV
Exploited in the wild