cve-2018-1000071
Vulnerability from cvelistv5
Published
2018-03-13 15:00
Modified
2024-08-05 12:33
Severity ?
EPSS score ?
Summary
roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity.
References
▼ | URL | Tags | |
---|---|---|---|
cve@mitre.org | https://github.com/roundcube/roundcubemail/issues/6173 | Third Party Advisory | |
cve@mitre.org | https://www.legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt | Exploit, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/roundcube/roundcubemail/issues/6173 | Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://www.legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt | Exploit, Third Party Advisory |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T12:33:49.073Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/roundcube/roundcubemail/issues/6173", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], dateAssigned: "2018-02-12T00:00:00", datePublic: "2018-03-13T00:00:00", descriptions: [ { lang: "en", value: "roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-03-13T14:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/roundcube/roundcubemail/issues/6173", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", DATE_ASSIGNED: "2/12/2018 5:20:44", ID: "CVE-2018-1000071", REQUESTER: "contact@legacysecuritygroup.com", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://www.legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt", refsource: "MISC", url: "https://www.legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt", }, { name: "https://github.com/roundcube/roundcubemail/issues/6173", refsource: "MISC", url: "https://github.com/roundcube/roundcubemail/issues/6173", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-1000071", datePublished: "2018-03-13T15:00:00", dateReserved: "2018-02-21T00:00:00", dateUpdated: "2024-08-05T12:33:49.073Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.3.4\", \"matchCriteriaId\": \"78C4B727-C796-4E2C-8781-144F624AF08D\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity.\"}, {\"lang\": \"es\", \"value\": \"roundcube, en versiones 1.3.4 y anteriores, contiene una vulnerabilidad de permisos inseguros en el plugin enigma que puede resultar en la exfiltraci\\u00f3n de la clave privada gpgp. Este ataque parece ser explotable mediante conectividad de red.\"}]", id: "CVE-2018-1000071", lastModified: "2024-11-21T03:39:34.297", metrics: "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}", published: "2018-03-13T15:29:00.330", references: "[{\"url\": \"https://github.com/roundcube/roundcubemail/issues/6173\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/roundcube/roundcubemail/issues/6173\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]", sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-732\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2018-1000071\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2018-03-13T15:29:00.330\",\"lastModified\":\"2024-11-21T03:39:34.297\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity.\"},{\"lang\":\"es\",\"value\":\"roundcube, en versiones 1.3.4 y anteriores, contiene una vulnerabilidad de permisos inseguros en el plugin enigma que puede resultar en la exfiltración de la clave privada gpgp. Este ataque parece ser explotable mediante conectividad de red.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-732\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.3.4\",\"matchCriteriaId\":\"78C4B727-C796-4E2C-8781-144F624AF08D\"}]}]}],\"references\":[{\"url\":\"https://github.com/roundcube/roundcubemail/issues/6173\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/roundcube/roundcubemail/issues/6173\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}", }, }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.