First published: Thu Aug 11 2022(Updated: )
An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0. The value of the X-Forwarded-Host header overwrites the value of the Host header in proxied requests. The value of X-Forwarded-Host header is not checked against the whitelist of hosts that ZCS is allowed to proxy to (the zimbraProxyAllowedDomains setting).
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Zimbra Collaboration | =8.8.15 | |
Zimbra Collaboration | =9.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-37041 is a vulnerability in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 that allows an attacker to overwrite the Host header in proxied requests.
CVE-2022-37041 affects Zimbra Collaboration Suite versions 8.8.15 and 9.0 by allowing the X-Forwarded-Host header to overwrite the Host header in proxied requests.
CVE-2022-37041 has a severity rating of 7.5 (high).
To fix CVE-2022-37041, update your Zimbra Collaboration Suite installation to a version that includes the necessary security patches.
You can find more information about CVE-2022-37041 on the Zimbra Security Center and Zimbra Security Advisories pages.