Vulnerability Description
iRedMail version prior to commit f04b8ef contains a Insecure Permissions vulnerability in Roundcube Webmail that can result in Exfiltrate a user's password protected secret GPG key file and other important configuration files.. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in Beta: 0.9.8-BETA1, Stable: 0.9.7.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Iredmail | Iredmail | <= 0.9.6 |
Related Weaknesses (CWE)
References
- http://legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txtExploitMitigationThird Party Advisory
- https://bitbucket.org/zhb/iredmail/issues/130/multiple-security-issues-with-defaExploitThird Party Advisory
- http://legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txtExploitMitigationThird Party Advisory
- https://bitbucket.org/zhb/iredmail/issues/130/multiple-security-issues-with-defaExploitThird Party Advisory
FAQ
What is CVE-2018-1000072?
CVE-2018-1000072 is a vulnerability with a CVSS score of 7.5 (HIGH). iRedMail version prior to commit f04b8ef contains a Insecure Permissions vulnerability in Roundcube Webmail that can result in Exfiltrate a user's password protected secret GPG key file and other impo...
How severe is CVE-2018-1000072?
CVE-2018-1000072 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1000072?
Check the references section above for vendor advisories and patch information. Affected products include: Iredmail Iredmail.