Attacker Value

Very High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2022-37042

Disclosure Date: August 12, 2022 •

CVE-2022-37042 CVSS v3 Base Score: 9.8

Exploited in the Wild

Reported by mkienow-r7 and 3 more...
View Source Details

Description

Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.

Add Assessment

rbowes-r7 (95)

August 23, 2022 4:43pm UTC (2 years ago)•Edited 2 years ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Unauthenticated Vulnerable in default configuration

Technical Analysis

This is basically cve-2022-27925 – it’s the same exploit, but you don’t send an auth cookie and it fails to prevent access.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

zimbra

Products

collaboration 8.8.15,
collaboration 9.0.0

Metasploit Modules

exploit/linux/http/zimbra_mboximport_cve_2022_27925 (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/zimbra_mboximport_cve_2022_27925.rb)

Exploited in the Wild

Reported by:

mkienow-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: August 12, 2022 1:42am UTC (2 years ago)

andrew-morris indicated source as Other: GreyNoise (https://viz.greynoise.io/ip/178.173.230.202)

Reported: August 19, 2022 9:43pm UTC (2 years ago)

rbowes-r7 indicated sources as

Government or Industry Alert (https://www.cisa.gov/uscert/ncas/alerts/aa22-228a)
News Article or Blog (https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/)

Reported: August 23, 2022 4:43pm UTC (2 years ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2022/08/11/cisa-adds-two-known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:24am UTC (1 month ago)

References

Canonical

CVE-2022-37042 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37042)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2022-37042 (https://github.com/aels/CVE-2022-37042) (Added by AKB Worker)

CVE-2022-37042 (https://github.com/0xf4n9x/CVE-2022-37042) (Added by AKB Worker)

Miscellaneous

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

https://wiki.zimbra.com/wiki/Security_Center

http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html

Rapid7

August 19, 2022 8:56pm UTC (2 years ago)

Technical Analysis

We analyzed this Zimbra vulnerability as part of CVE-2022-27925.

Very High

CVE-2022-37042

Very High

Very High

None

None

Network

CVE-2022-37042

Description