CVE-2021-29472 Vulnerability in Cents7 (7.6.1810)

round_mania · May 08, 2021, 03:06:14 AM

Hi,
As you know CVE-2021-29472 Vulnerability has published and I did not find related description whether roundcube is vulnereable or not?

JohnDoh · May 09, 2021, 03:39:33 AM

QuoteThe impact to Composer users directly is limited as the composer.json file is typically under their own control

So, no. Just make sure you've updated your version of Composer.

round_mania · May 09, 2021, 08:05:31 AM

As my server is in datacenter and soes not internet access , I can not update composer. considering this condition, Is it vulnerable if I dont update composer?

JohnDoh · May 09, 2021, 10:03:39 AM

As I understand the vulnerability it relates to the download of packages from VCS repositories. Roundcube does not include any VCS repos in its default composer.json file and as far as I can see none of the packages it does require mention any VCS repos. So unless you added one of your own....

Any way if you are not using composer for package management on your server why would you even have it installed?

If you want to know more about the Composer vulnerability then try the Composer community.

CVE-2021-29472 Vulnerability in Cents7 (7.6.1810)

round_mania

JohnDoh

round_mania

JohnDoh