vuln-list-alt/oval/p11/ALT-PU-2018-1778/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:20181778",
      "Version": "oval:org.altlinux.errata:def:20181778",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2018-1778: package `roundcube` update to version 1.3.6-alt1",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch p11"
            ],
            "Products": [
              "ALT Container"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2018-1778",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2018-1778",
            "Source": "ALTPU"
          },
          {
            "RefID": "CVE-2018-1000071",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000071",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2018-9846",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-9846",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades roundcube to version 1.3.6-alt1. \nSecurity Fix(es):\n\n * CVE-2018-1000071: roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity.\n\n * CVE-2018-9846: In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled \"_uid\" parameter (in an archive.php _task=mail\u0026_mbox=INBOX\u0026_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism.",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "High",
          "Rights": "Copyright 2024 BaseALT Ltd.",
          "Issued": {
            "Date": "2018-05-22"
          },
          "Updated": {
            "Date": "2018-05-22"
          },
          "BDUs": null,
          "CVEs": [
            {
              "ID": "CVE-2018-1000071",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
              "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "CWE": "CWE-732",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000071",
              "Impact": "High",
              "Public": "20180313"
            },
            {
              "ID": "CVE-2018-9846",
              "CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
              "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "CWE": "CWE-20",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-9846",
              "Impact": "High",
              "Public": "20180407"
            }
          ],
          "AffectedCPEs": {
            "CPEs": [
              "cpe:/o:alt:container:11"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:3001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:20181778001",
                "Comment": "roundcube is earlier than 0:1.3.6-alt1"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20181778002",
                "Comment": "roundcube-apache2 is earlier than 0:1.3.6-alt1"
              }
            ]
          }
        ]
      }
    }
  ]
}