CVE-2022-37042
Published: 12 August 2022
Summary
CVE-2022-37042 is a critical-severity Path Traversal (CWE-22) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Zimbra Collaboration Suite (ZCS) versions 8.8.15 and 9.0 contain a path traversal vulnerability in the mboximport functionality, which accepts and extracts files from ZIP archives. The flaw stems from an incomplete fix for CVE-2022-27925 and permits unauthenticated access to the import process without requiring an authtoken, as indicated by its CWE-22 classification and critical CVSS 9.8 score.
An attacker with network access can upload crafted ZIP archives that bypass authentication checks, enabling arbitrary file writes on the server. Successful exploitation grants the ability to place malicious content in sensitive directories, resulting in remote code execution on the affected ZCS installation.
Zimbra's security advisories and wiki pages document the issue and direct administrators to available patches and hardening guidance for the affected releases. Public exploit code has been posted to PacketStorm, and the vulnerability carries an EPSS score that reached a peak of 0.9755 with a current value of 0.9433.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-39696
Vulnerability details
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory…
more
traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.
- CWE(s)
- KEV Date Added
- 11 August 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks on the mboximport endpoint to block unauthenticated ZIP uploads that enable directory traversal.
Requires validation of all input (ZIP archives and embedded paths) to reject malformed or traversal sequences before extraction occurs.
Mandates identification and authentication mechanisms that would have prevented the authtoken bypass used to reach the vulnerable import function.