CVE-2015-8770 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	HIGH	LOW	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 96%

Vendor	Product	Version
roundcube	roundcube_webmail	𝑥 ≤ 1.0.7
roundcube	roundcube_webmail	1.1.0
roundcube	roundcube_webmail	1.1.1
roundcube	roundcube_webmail	1.1.2
roundcube	roundcube_webmail	1.1.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

roundcube

bullseye (security)	1.4.15+dfsg.1-1+deb11u4 fixed
bullseye	1.4.15+dfsg.1-1+deb11u4 fixed
bookworm	1.6.5+dfsg-1+deb12u4 fixed
bookworm (security)	1.6.5+dfsg-1+deb12u4 fixed
sid	1.6.9+dfsg-1 fixed
trixie	1.6.9+dfsg-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

roundcube

disco	not-affected
cosmic	not-affected
bionic	not-affected
artful	not-affected
zesty	not-affected
yakkety	not-affected
xenial	not-affected
wily	ignored
vivid	ignored
trusty	dne
precise	ignored

Known Exploits!

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00028.html

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00029.html

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00030.html

http://packetstormsecurity.com/files/135274/Roundcube-1.1.3-Path-Traversal.html

http://trac.roundcube.net/changeset/10e5192a2b/github

http://trac.roundcube.net/ticket/1490620

http://www.debian.org/security/2016/dsa-3541

http://www.securityfocus.com/archive/1/537304/100/0/threaded

https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/

https://security.gentoo.org/glsa/201603-03

https://www.exploit-db.com/exploits/39245/

https://www.htbridge.com/advisory/HTB23283

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00028.html

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00029.html

http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00030.html

http://packetstormsecurity.com/files/135274/Roundcube-1.1.3-Path-Traversal.html

http://trac.roundcube.net/changeset/10e5192a2b/github

http://trac.roundcube.net/ticket/1490620

http://www.debian.org/security/2016/dsa-3541

http://www.securityfocus.com/archive/1/537304/100/0/threaded

https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/

https://security.gentoo.org/glsa/201603-03

https://www.exploit-db.com/exploits/39245/

https://www.htbridge.com/advisory/HTB23283