Cyber Resilience

CVE-2022-31245

HighPublic PoCRCE

Published: 20 May 2022

Published
20 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2505 96.3th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31245 is a high-severity OS Command Injection (CWE-78) vulnerability in Mailcow Mailcow\. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-31245 is an OS command injection vulnerability, tracked under CWE-78, that affects mailcow versions prior to 2022-05d. The flaw resides in the Sync Jobs feature, where the --debug option combined with the ---PIPEMESS option fails to properly sanitize input, allowing command execution.

A remote authenticated user with low privileges can exploit the issue over the network to inject and execute arbitrary operating system commands. Successful exploitation grants the attacker the ability to escalate privileges to domain administrator level, resulting in full compromise of confidentiality, integrity, and availability as reflected in the CVSS 8.8 score.

The official mailcow-dockerized release 2022-05d addresses the vulnerability through patching of the affected Sync Jobs handling. Public references include both the vendor advisory and a proof-of-concept repository demonstrating the injection technique.

The associated EPSS score has remained at a peak of 0.2505 with no material increase after disclosure.

EU & UK References

Vulnerability details

mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mailcow
mailcow\
_dockerized

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References