Descriptionroundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs897014

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
roundcube (PTS)stretch1.2.3+dfsg.1-4+deb9u6fixed
stretch (security)1.2.3+dfsg.1-4+deb9u8fixed
buster, buster (security)1.3.16+dfsg.1-1~deb10u1fixed
bookworm, bullseye1.4.11+dfsg.1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

That plugin is not functional in stretch due to a missing package dependency, setting it
up would require several additional manual changes on the admin's side
Can be mitigated by moving home folder outside the scope of the webserver

Search for package or bug name: Reporting problems