Advisory No: TZCERT/SA/2022/08/17
Date of First Release: 17th August 2022
Software Affected: Zimbra 8.8.15 and 9.0
Zimbra is affected by two high severity vulnerabilities ( CVSS score 7.2) due to weakness in Zimbra Collaboration, both of which could be chained to allow unauthenticated remote code execution on the affected email servers.
CVE-2022-27925 is a high severity vulnerability in Zimbra Collaboration Suite (ZCS) that uses mboximport functionality to receive a ZIP archive and extract files from it. An authenticated user can upload arbitrary files to the system, resulting in directory traversal.
CVE-2022-37042 is an authentication bypass flaw that affects ZCS releases 8.8.15 and 9.0. The vulnerability could allow an unauthenticated malicious actor access to a vulnerable ZCS instance. This vulnerability was discovered in the MailboxImportServlet function.
Successful exploitation of this vulnerability may allow the attacker to control of the affected system.
Zimbra has released the patch to remediate the vulnerability. Users and administrators are encouraged to apply necessary updates.