First published: Mon Sep 26 2022(Updated: )
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Zimbra Collaboration | =8.8.15 | |
Zimbra Collaboration | =9.0.0 | |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-41352 is a vulnerability that allows an attacker to upload arbitrary files using the cpio package in Zimbra Collaboration (ZCS).
CVE-2022-41352 allows an attacker to gain incorrect access to any other user accounts by uploading arbitrary files using the cpio package in Zimbra Collaboration (ZCS).
Zimbra Collaboration (ZCS) is affected by CVE-2022-41352.
CVE-2022-41352 is a serious vulnerability that can lead to unauthorized access to user accounts in Zimbra Collaboration (ZCS).
To fix CVE-2022-41352, it is recommended to apply the latest security patches or updates provided by Zimbra.