Vulnerability Description
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Synacor | Zimbra Collaboration Suite | 8.8.15 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.htmlExploitThird Party AdvisoryVDB Entry
- https://wiki.zimbra.com/wiki/Security_CenterPatchVendor Advisory
- https://wiki.zimbra.com/wiki/Zimbra_Security_AdvisoriesVendor Advisory
- http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.htmlExploitThird Party AdvisoryVDB Entry
- https://wiki.zimbra.com/wiki/Security_CenterPatchVendor Advisory
- https://wiki.zimbra.com/wiki/Zimbra_Security_AdvisoriesVendor Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-US Government Resource
FAQ
What is CVE-2022-37042?
CVE-2022-37042 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an att...
How severe is CVE-2022-37042?
CVE-2022-37042 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-37042?
Check the references section above for vendor advisories and patch information. Affected products include: Synacor Zimbra Collaboration Suite.