CVE-2022-41352
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-41352
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-41352.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-41352
- Published
- 2022-09-26T02:15:10Z
- Modified
- 2025-11-06T10:25:40.548560Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.
- References
-
- http://packetstormsecurity.com/files/169458/Zimbra-Collaboration-Suite-TAR-Path-Traversal.html
- https://forums.zimbra.org/viewtopic.php?t=71153&p=306532
- https://wiki.zimbra.com/wiki/Security_Center
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
- https://www.secpod.com/blog/unpatched-rce-bug-in-zimbra-collaboration-suite-exploited-in-wild/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41352
Affected packages
Git
github.com/zimbra/zm-build
Affected ranges
- Type
- GIT
- Repo
- https://github.com/zimbra/zm-build
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affected
github.com/zimbra/zm-mailbox
Affected ranges
- Type
- GIT
- Repo
- https://github.com/zimbra/zm-mailbox
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affected
Affected versions
8.*
8.7.10
8.7.11
8.7.6
8.7.7
8.7.9
8.8.0.beta1
8.8.10
8.8.11
8.8.12
8.8.15
8.8.15.p1
8.8.15.p10
8.8.15.p11
8.8.15.p12
8.8.15.p13
8.8.15.p14
8.8.15.p15
8.8.15.p16
8.8.15.p17
8.8.15.p18
8.8.15.p2
8.8.15.p20
8.8.15.p23
8.8.15.p24
8.8.15.p25
8.8.15.p26
8.8.15.p27
8.8.15.p29
8.8.15.p3
8.8.15.p30
8.8.15.p31
8.8.15.p4
8.8.15.p5
8.8.15.p6
8.8.15.p7
8.8.15.p8
8.8.15.p9
8.8.2
8.8.3
8.8.4
8.8.5
8.8.6
8.8.7
8.8.8
8.8.9
9.*
9.0.0
9.0.0.p1
9.0.0.p10
9.0.0.p11
9.0.0.p13
9.0.0.p14
9.0.0.p16
9.0.0.p18
9.0.0.p19
9.0.0.p2
9.0.0.p20
9.0.0.p22
9.0.0.p23
9.0.0.p3
9.0.0.p4
9.0.0.p5
9.0.0.p6
9.0.0.p7
9.0.0.p8
9.0.0.p9
github.com/zimbra/zm-zcs
github.com/zimbra/zm-zcs-lib
Affected ranges
- Type
- GIT
- Repo
- https://github.com/zimbra/zm-zcs-lib
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affected