CVE-2022-41352

Published Sep 26, 2022

Last updated 6 months ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2022-41352 is a vulnerability in Zimbra Collaboration Suite (ZCS) versions 8.8.15 and 9.0. It stems from how the Amavis content filter, which is part of Zimbra, uses the cpio utility to unpack archives. An attacker can exploit this by crafting a malicious archive (e.g., a .tar file) containing a web-shell and sending it to a vulnerable Zimbra server. When the Amavis filter scans the archive, it uses cpio to extract the contents, including the malicious web-shell, to a public directory. This allows the attacker to then execute arbitrary commands on the compromised server via the web-shell. The vulnerability exists because cpio lacks a secure mode for handling untrusted files, potentially allowing writes to any path accessible to the Zimbra user.

Description: An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.
Source: cve@mitre.org
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Known exploits

Data from CISA

Vulnerability name: Synacor Zimbra Collaboration Suite (ZCS) Arbitrary File Upload Vulnerability
Exploit added on: Oct 20, 2022
Exploit action due: Nov 10, 2022
Required action: Apply updates per vendor instructions.

Weaknesses

nvd@nist.gov: CWE-22
134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-22

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 35

Ransomware vulns with highest exploit likelihood ⬆️ (past 30d): - CVE-2021-26857 (Exchange On-Pre..) +210.76% - CVE-2022-26500 (Veeam Backup & ..) +24.70% - CVE-2023-27532 (Veeam Backup & ..) +17.62% - CVE-2022-41352 (Zimbra Zimbra C..) +16.52% - CVE-2019-5591 (Forti
@DefusedCyber
29 Sept 2025
30239 Impressions
43 Retweets
232 Likes
126 Bookmarks
3 Replies
2 Quotes

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1B17C1A7-0F0A-4E7C-8C0C-0BBB0BF66C82"
          },
          {
            "criteria": "cpe:2.3:a:zimbra:collaboration:9.0.0:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "685D9652-2934-4C13-8B36-40582C79BFC1"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.