CVE-2022-41352

Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.

Se ha detectado un problema en Zimbra Collaboration (ZCS) versiones 8.8.15 y 9.0. Un atacante puede descargar archivos arbitrarios mediante amavisd por medio de un loophole de cpio (extracción a /opt/zimbra/jetty/webapps/zimbra/public) que puede conllevar a un acceso incorrecto a cualquier otra cuenta de usuario. Zimbra recomienda pax sobre cpio. Además, pax está en los prerrequisitos de Zimbra en Ubuntu; sin embargo, pax ya no forma parte de una instalación por defecto de Red Hat después de RHEL 6 (o CentOS 6). Una vez instalado pax, amavisd lo prefiere automáticamente sobre cpio.

Zimbra Collaboration (ZCS) allows an attacker to upload arbitrary files using cpio package to gain incorrect access to any other user accounts.

*Credits: N/A

CVSS Scores

NISTv3.1 9.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-26 CVE Reserved
2022-09-26 CVE Published
2022-10-20 Exploited in Wild
2022-11-10 KEV Due Date
2024-03-17 First Exploit
2024-08-03 CVE Updated
2024-11-19 EPSS Updated

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (13)

URL	Tag	Source
https://www.secpod.com/blog/unpatched-rce-bug-in-zimbra-collaboration-suite-exploited-in-wild	Third Party Advisory
https://blog.zimbra.com/2022/09/security-update-make-sure-to-install-pax-spax
https://www.openwall.com/lists/oss-security/2015/01/18/7
https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html
https://attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis
https://attackerkb.com/topics/FdLYrGfAeg/cve-2015-1197/rapid7-analysis
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P27
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P34

URL	Date	SRC
https://github.com/rxerium/CVE-2022-41352	2024-03-17
http://packetstormsecurity.com/files/169458/Zimbra-Collaboration-Suite-TAR-Path-Traversal.html	2024-08-03

URL	Date	SRC
https://wiki.zimbra.com/wiki/Security_Center	2024-02-01

URL	Date	SRC
https://forums.zimbra.org/viewtopic.php?t=71153&p=306532	2022-06-28
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories	2024-02-01

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Zimbra Search vendor "Zimbra"		Collaboration Search vendor "Zimbra" for product "Collaboration"				8.8.15 Search vendor "Zimbra" for product "Collaboration" and version "8.8.15"		-		Affected
Zimbra Search vendor "Zimbra"		Collaboration Search vendor "Zimbra" for product "Collaboration"				9.0.0 Search vendor "Zimbra" for product "Collaboration" and version "9.0.0"		-		Affected