CVE-2022-27924: Zimbra Collaboration Suite - Memcached Command Injection

日期: 2026-01-08 | 影响软件: Zimbra Collaboration Suite | POC: 已公开

漏洞描述

Zimbra Collaboration Suite versions 8.8.15 and 9.0 contain a memcached command injection vulnerability that allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance, leading to cache poisoning and potential credential theft.

PoC代码[已公开]

id: CVE-2022-27924

info:
  name: Zimbra Collaboration Suite - Memcached Command Injection
  author: rxerium
  severity: high
  description: |
    Zimbra Collaboration Suite versions 8.8.15 and 9.0 contain a memcached command injection vulnerability that allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance, leading to cache poisoning and potential credential theft.
  impact: |
    Successful exploitation allows attackers to overwrite arbitrary cached entries and steal user credentials in cleartext without user interaction. With valid credentials, attackers can perform spear phishing, social engineering, and business email compromise attacks, or maintain persistent access via webshells.
  remediation: |
    Update to Zimbra Collaboration Suite version 8.8.15 Patch 31 or 9.0.0 Patch 24.1 or later. Implement multi-factor authentication to mitigate credential theft impact.
  reference:
    - https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
    - https://nvd.nist.gov/vuln/detail/CVE-2022-27924
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-27924
    epss-score: 0.61474
    epss-percentile: 0.98247
    cpe: cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: synacor
    product: zimbra_collaboration_suite
    shodan-query:
      - http.title:"zimbra collaboration suite"
  tags: cve,cve2022,zimbra,injection,passive,vuln,kev,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/js/zimbraMail/share/model/ZmSettings.js"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Zimbra Collaboration Suite Web Client"

      - type: word
        part: header
        words:
          - "application/x-javascript"

      - type: word
        words:
          - "8.8.15"
          - "9.0"
        part: version

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: version
        part: body
        group: 1
        regex:
          - 'CLIENT_VERSION\",\s+{type:ZmSetting.T_CONFIG, defaultValue:\"(.*?)"'
# digest: 4a0a0047304502205f9e547b815133282f9d09d9a9242cfa57f38b2af8febae7622056b76ea168ab022100b8584869fafe9814b0400420720804c858d0842a2c32f9c12f05ab4b6f3642a7:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-27924.yaml

相关漏洞推荐