CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2022-41352

CVSS 9.8v3.1pub. 2022-09-26upd. 2025-11-03

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Synacor Zimbra Collaboration Suite

    APP
    Synacor
    8.8.159.0.0

CISA KEV — detailsi

Vendori
Synacor
Producti
Zimbra Collaboration Suite (ZCS)
Added to KEVi
October 20, 2022
Remediation deadline (US Federal)i
November 10, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Synacor Zimbra Collaboration Suite (ZCS) allows an attacker to upload arbitrary files using cpio package to gain incorrect access to any other user accounts.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 10 listopada 2022
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2024-45519CRITICAL10.0⚠ KEVPL ✓ten sam produkt

RCE w usłudze postjournal Zimbra Collaboration Suite — command injection bez uwierzytelnienia

CVE-2023-34192CRITICAL9.0⚠ KEVten sam produkt

Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute ar...

CVE-2022-37042CRITICAL9.8⚠ KEVten sam produkt

Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and e...

CVE-2020-7796CRITICAL9.8⚠ KEVten sam produkt

Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet J...

CVE-2019-9670CRITICAL9.8⚠ KEVten sam produkt

mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity inj...