CVE-2020-10194

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-10194

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-10194.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-10194

Published

2020-03-20T21:15:17.047Z

Modified

2026-04-11T09:46:15.875211Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

cs/service/account/AutoCompleteGal.java in Zimbra zm-mailbox before 8.8.15.p8 allows authenticated users to request any GAL account. This differs from the intended behavior in which the domain of the authenticated user must match the domain of the galsync account in the request.

References

Affected packages

Git / github.com/zimbra/zm-mailbox

Affected ranges

Type

GIT

Repo

https://github.com/zimbra/zm-mailbox

Events

Introduced

Fixed

d30e647f21ecef5490f21facf2e06e228b44a36e

Introduced

Last affected

d30e647f21ecef5490f21facf2e06e228b44a36e

Introduced

Last affected

042b0963ea86e965d9fcd036816ac87d6fe88b9b

Introduced

Last affected

8dd758add476db0ee9a7c1abab136e30ebde01b2

Introduced

Last affected

9665ec3f4ea1a372efce0dfdc3e1226ef0c49249

Introduced

Last affected

efd11afe1b526bb03f59b699aaadf6a1449e0244

Introduced

Last affected

fe16ceac5e47687386b4c54d2d11a28f017f4bf4

Introduced

Last affected

d093cdf68ec6716be445c653277f602739a5086b

Introduced

Last affected

a12b964a206748de6db6dc1da2ee16249aabafce

Fixed

1df440e0efa624d1772a05fb6d397d9beb4bda1e

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.8.15"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.8.15-NA"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.8.15-patch1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.8.15-patch2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.8.15-patch3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.8.15-patch4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.8.15-patch5"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.8.15-patch6"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.8.15-patch7"
        }
    ]
}

Affected versions

8.*

8.8.10

8.8.12

8.8.15

8.8.15.p1

8.8.15.p2

8.8.15.p3

8.8.15.p4

8.8.15.p5

8.8.15.p6

8.8.15.p7

8.8.2

8.8.3

8.8.4

8.8.5

8.8.6

8.8.7

8.8.8

8.8.9

Database specific

vanir_signatures_modified

"2026-04-11T09:46:15Z"

vanir_signatures

[
    {
        "id": "CVE-2020-10194-4314dc38",
        "deprecated": false,
        "source": "https://github.com/zimbra/zm-mailbox/commit/d30e647f21ecef5490f21facf2e06e228b44a36e",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "function": "updateLastLogon",
            "file": "store/src/java/com/zimbra/cs/account/ldap/LdapProvisioning.java"
        },
        "digest": {
            "function_hash": "130804680382483964301386928646396783356",
            "length": 461.0
        }
    },
    {
        "id": "CVE-2020-10194-81b4ab0b",
        "deprecated": false,
        "source": "https://github.com/zimbra/zm-mailbox/commit/1df440e0efa624d1772a05fb6d397d9beb4bda1e",
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "store/src/java/com/zimbra/cs/service/account/AutoCompleteGal.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "229517679686205523715402217324700394259",
                "56981330284956748620401296164109700603",
                "336897459929083016848280167708331261784",
                "87588029407074370430861276684829618465",
                "103335325727630520655163700639494496382",
                "253093700081280273806403364256489052188"
            ]
        }
    },
    {
        "id": "CVE-2020-10194-96c6e311",
        "deprecated": false,
        "source": "https://github.com/zimbra/zm-mailbox/commit/d30e647f21ecef5490f21facf2e06e228b44a36e",
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "store/src/java/com/zimbra/cs/account/ldap/LdapProvisioning.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "35532726304441886843822597725517922529",
                "86869606749296562789619135716824747966",
                "329209388892522800440224682947664957145",
                "301198994465565842404478996247629867721",
                "249110717571679374632676844697594286961",
                "165150619554600532748713227738510509377",
                "135793442757343879754509969633552703576",
                "99023990949396355242231588957425096724"
            ]
        }
    },
    {
        "id": "CVE-2020-10194-aa5bbd03",
        "deprecated": false,
        "source": "https://github.com/zimbra/zm-mailbox/commit/1df440e0efa624d1772a05fb6d397d9beb4bda1e",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "function": "handle",
            "file": "store/src/java/com/zimbra/cs/service/account/AutoCompleteGal.java"
        },
        "digest": {
            "function_hash": "121930347612280065506370044909784702061",
            "length": 1002.0
        }
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-10194.json"