CVE-2022-31138
Published: 11 July 2022
Summary
CVE-2022-31138 is a high-severity OS Command Injection (CWE-78) vulnerability in Mailcow Mailcow\. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-31138 is an OS command injection vulnerability (CWE-78) affecting the mailcow-dockerized mail server suite prior to version 2022-06a. It resides in the handling of Syncjob custom parameters, specifically regexmess, skipmess, regexflag, delete2foldersonly, delete2foldersbutnot, regextrans2, pipemess, and maxlinelengthcmd, which are passed to underlying system commands without adequate sanitization.
An authenticated user with access to modify Syncjob settings can supply crafted values for these parameters to execute arbitrary code on the host. With a CVSS score of 8.8, successful exploitation yields full confidentiality, integrity, and availability impact within the mailcow environment.
The official advisory and release notes direct administrators to run the update.sh script in the mailcow root directory to reach version 2022-06a or later. As an interim control, the Syncjob ACL can be removed from all mailbox users to block modification of the affected settings. Public references include a detailed proof-of-concept repository and the corresponding GitHub security advisory.
EPSS remains flat at 0.0609 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-52766
Vulnerability details
mailcow is a mailserver suite. Prior to mailcow-dockerized version 2022-06a, an extended privilege vulnerability can be exploited by manipulating the custom parameters regexmess, skipmess, regexflag, delete2foldersonly, delete2foldersbutnot, regextrans2, pipemess, or maxlinelengthcmd to execute arbitrary code. Users should update their mailcow…
more
instances with the `update.sh` script in the mailcow root directory to 2022-06a or newer to receive a patch for this issue. As a temporary workaround, the Syncjob ACL can be removed from all mailbox users, preventing changes to those settings.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.