Author Topic: CVE-2021-29472 Vulnerability in Cents7 (7.6.1810)  (Read 3718 times)

Offline round_mania

  • Newbie
  • *
  • Posts: 6
CVE-2021-29472 Vulnerability in Cents7 (7.6.1810)
« on: May 08, 2021, 03:06:14 AM »
Hi,
As you know CVE-2021-29472 Vulnerability has published and I did not find related description whether roundcube is vulnereable or not?

Offline JohnDoh

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2,845
Re: CVE-2021-29472 Vulnerability in Cents7 (7.6.1810)
« Reply #1 on: May 09, 2021, 03:39:33 AM »
Quote
The impact to Composer users directly is limited as the composer.json file is typically under their own control
So, no. Just make sure you've updated your version of Composer.
Roundcube Plugins: Contextmenu, SpamAssassin Prefs, and more…

Offline round_mania

  • Newbie
  • *
  • Posts: 6
Re: CVE-2021-29472 Vulnerability in Cents7 (7.6.1810)
« Reply #2 on: May 09, 2021, 08:05:31 AM »
As my server is in datacenter and soes not internet access , I can not update composer. considering this condition, Is it vulnerable if I dont update composer?

Offline JohnDoh

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2,845
Re: CVE-2021-29472 Vulnerability in Cents7 (7.6.1810)
« Reply #3 on: May 09, 2021, 10:03:39 AM »
As I understand the vulnerability it relates to the download of packages from VCS repositories. Roundcube does not include any VCS repos in its default composer.json file and as far as I can see none of the packages it does require mention any VCS repos. So unless you added one of your own....

Any way if you are not using composer for package management on your server why would you even have it installed?

If you want to know more about the Composer vulnerability then try the Composer community.
Roundcube Plugins: Contextmenu, SpamAssassin Prefs, and more…