CVE-2022-41352
Published: 26 September 2022
Summary
CVE-2022-41352 is a critical-severity Path Traversal (CWE-22) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2022-41352 is a path traversal vulnerability in Zimbra Collaboration Suite (ZCS) versions 8.8.15 and 9.0 that stems from insufficient validation in the amavis component when handling archive extraction via cpio. An attacker can upload arbitrary files that are written to the publicly accessible directory /opt/zimbra/jetty/webapps/zimbra/public, enabling unauthorized access to other user accounts. The flaw is tracked under CWE-22 and carries a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can exploit the issue by sending a crafted archive through amavis; successful exploitation grants full read/write access to mailbox data and configuration files belonging to any account on the server. Because the vector requires no credentials or user interaction, the attack can be launched directly over the network.
Zimbra security advisories and the vendor wiki recommend replacing cpio with pax for archive handling; pax is listed among Ubuntu prerequisites and is automatically preferred by amavis once installed. On Red Hat and CentOS systems after version 6, administrators must explicitly install pax because it is no longer present in default installations.
Public references, including Packet Storm and SecPod reporting, document active in-the-wild exploitation of the unpatched flaw, and the associated EPSS score has remained above 0.93 with a recorded peak of 0.97, indicating sustained attacker interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-44557
Vulnerability details
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax…
more
over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.
- CWE(s)
- KEV Date Added
- 20 October 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the cpio-based path traversal by validating untrusted archive contents before extraction into the web root.
Enforces replacement of cpio with pax (already a documented prerequisite on Ubuntu) so amavis never uses the vulnerable extractor.
Requires prompt installation of pax and any Zimbra patches that eliminate the cpio extraction path for this CVE.