CVE-2022-37042

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-37042
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-37042.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-37042
Published
2022-08-12T15:15:16Z
Modified
2024-09-03T04:18:33.468352Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.

References

Affected packages

Git / github.com/zimbra/zm-build

Affected ranges

Type
GIT
Repo
https://github.com/zimbra/zm-build
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Last affected

Affected versions

8.*

8.7.10
8.7.11
8.7.6
8.7.7
8.7.9
8.8.0.beta1
8.8.10
8.8.11
8.8.11.p3
8.8.12
8.8.15
8.8.2
8.8.3
8.8.4
8.8.6
8.8.7
8.8.8
8.8.9
8.8.9.p1
8.8.9.p3