CVE-2022-30287
Published: 28 July 2022
Summary
CVE-2022-30287 is a high-severity Unsafe Reflection (CWE-470) vulnerability in Horde Groupware. Its CVSS base score is 8.0 (High).
Operationally, ranked in the top 4.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Horde Groupware Webmail Edition through version 5.2.22 is affected by a reflection injection vulnerability that permits an attacker to instantiate an arbitrary driver class, resulting in PHP object deserialization. The flaw is tracked under CWE-470 and CWE-502 and carries a CVSS 3.1 score of 8.0 reflecting network attack vector, low complexity, and low privileges with user interaction.
An authenticated attacker can supply crafted input that triggers the reflection path, leading to instantiation of attacker-controlled classes and subsequent arbitrary deserialization. Successful exploitation yields full control over confidentiality, integrity, and availability of the affected webmail instance, commonly enabling remote code execution.
Debian LTS advisory lists and the Horde project site indicate that updated packages addressing the issue are available for supported distributions, with administrators advised to apply the fixes promptly.
Public analysis from SonarSource demonstrates practical remote code execution via email-borne payloads, and the EPSS score has reached a peak of 0.2260 with a current value of 0.1859, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-52239
Vulnerability details
Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.