CVE-2020-12641: 
Linux Debian vulnerability analysis and mitigation

CVE-2020-12641 is a remote code execution vulnerability discovered in Roundcube Webmail versions before 1.4.4. The vulnerability was disclosed on April 29, 2020, and affects the rcube_image.php component. The flaw allows attackers to execute arbitrary code via shell metacharacters in configuration settings for im_convert_path or im_identify_path (Roundcube News, NVD).

The vulnerability exists in the rcube_image.php component where insufficient sanitization of the im_convert_path and im_identify_path configuration parameters allows command injection. The issue received a CVSS v3.1 base score of 9.8 (Critical) with attack vector: Network, attack complexity: Low, privileges required: None, user interaction: None, scope: Unchanged, and impact metrics all rated as High for confidentiality, integrity and availability (Ubuntu).

If successfully exploited, this vulnerability allows attackers to execute arbitrary system commands on the affected server. The impact is particularly severe as it can lead to complete system compromise through remote code execution. The vulnerability can be triggered when any user opens an email containing a non-standard image that requires conversion (DrunkenShells).

The vulnerability was patched in Roundcube versions 1.4.4, 1.3.11, and 1.2.10. The fix implements proper shell command escaping using escapeshellcmd() for the convert and identify commands. Organizations should upgrade to these or later versions immediately. A bypass was later discovered, leading to additional fixes in versions 1.4.5 and 1.3.12 (Roundcube Commit, Roundcube News).