Cyber Resilience

CVE-2022-31138

HighPublic PoCRCE

Published: 11 July 2022

Published
11 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0609 91.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31138 is a high-severity OS Command Injection (CWE-78) vulnerability in Mailcow Mailcow\. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-31138 is an OS command injection vulnerability (CWE-78) affecting the mailcow-dockerized mail server suite prior to version 2022-06a. It resides in the handling of Syncjob custom parameters, specifically regexmess, skipmess, regexflag, delete2foldersonly, delete2foldersbutnot, regextrans2, pipemess, and maxlinelengthcmd, which are passed to underlying system commands without adequate sanitization.

An authenticated user with access to modify Syncjob settings can supply crafted values for these parameters to execute arbitrary code on the host. With a CVSS score of 8.8, successful exploitation yields full confidentiality, integrity, and availability impact within the mailcow environment.

The official advisory and release notes direct administrators to run the update.sh script in the mailcow root directory to reach version 2022-06a or later. As an interim control, the Syncjob ACL can be removed from all mailbox users to block modification of the affected settings. Public references include a detailed proof-of-concept repository and the corresponding GitHub security advisory.

EPSS remains flat at 0.0609 with no material increase after disclosure.

EU & UK References

Vulnerability details

mailcow is a mailserver suite. Prior to mailcow-dockerized version 2022-06a, an extended privilege vulnerability can be exploited by manipulating the custom parameters regexmess, skipmess, regexflag, delete2foldersonly, delete2foldersbutnot, regextrans2, pipemess, or maxlinelengthcmd to execute arbitrary code. Users should update their mailcow…

more

instances with the `update.sh` script in the mailcow root directory to 2022-06a or newer to receive a patch for this issue. As a temporary workaround, the Syncjob ACL can be removed from all mailbox users, preventing changes to those settings.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mailcow
mailcow\
_dockerized

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References