Cyber Resilience

CVE-2022-30287

HighPublic PoCRCE

Published: 28 July 2022

Published
28 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1859 95.4th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-30287 is a high-severity Unsafe Reflection (CWE-470) vulnerability in Horde Groupware. Its CVSS base score is 8.0 (High).

Operationally, ranked in the top 4.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Horde Groupware Webmail Edition through version 5.2.22 is affected by a reflection injection vulnerability that permits an attacker to instantiate an arbitrary driver class, resulting in PHP object deserialization. The flaw is tracked under CWE-470 and CWE-502 and carries a CVSS 3.1 score of 8.0 reflecting network attack vector, low complexity, and low privileges with user interaction.

An authenticated attacker can supply crafted input that triggers the reflection path, leading to instantiation of attacker-controlled classes and subsequent arbitrary deserialization. Successful exploitation yields full control over confidentiality, integrity, and availability of the affected webmail instance, commonly enabling remote code execution.

Debian LTS advisory lists and the Horde project site indicate that updated packages addressing the issue are available for supported distributions, with administrators advised to apply the fixes promptly.

Public analysis from SonarSource demonstrates practical remote code execution via email-borne payloads, and the EPSS score has reached a peak of 0.2260 with a current value of 0.1859, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

horde
groupware
≤ 5.2.22
debian
debian linux
10.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502 CWE-470

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

addresses: CWE-502

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

References