CVE DATABASE / CVE-2017-16651
CVE-2017-16651
Roundcube Webmail File Disclosure Vulnerability
Confirmed exploited in the wild. Added 2021-11-03.
Federal remediation due 2022-05-03.
Required action: Apply updates per vendor instructions.
Summary
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.
CVSS 3.1 breakdown
| Base score | 7.8 (HIGH) |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Attack vector | LOCAL |
| Attack complexity | LOW |
| Privileges required | LOW |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html
- http://www.securityfocus.com/bid/101793
- https://github.com/roundcube/roundcubemail/issues/6026
- https://github.com/roundcube/roundcubemail/releases/tag/1.1.10
- https://github.com/roundcube/roundcubemail/releases/tag/1.2.7
- https://github.com/roundcube/roundcubemail/releases/tag/1.3.3
- https://lists.debian.org/debian-lts-announce/2017/11/msg00039.html
- https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10
- https://www.debian.org/security/2017/dsa-4030
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-16651
Data: NIST NVD + CISA KEV. NVD last modified 2026-04-21. Always verify against the vendor advisory before acting.