CVE-2022-41352: Zimbra Collaboration - Unrestricted File Upload

日期: 2025-08-01 | 影响软件: Zimbra Collaboration | POC: 已公开

漏洞描述

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.

PoC代码[已公开]

id: CVE-2022-41352

info:
  name: Zimbra Collaboration - Unrestricted File Upload
  author: rxerium
  severity: critical
  description: |
    An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.
  reference:
    - https://www.secpod.com/blog/unpatched-rce-bug-in-zimbra-collaboration-suite-exploited-in-wild/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-41352
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-41352
    cwe-id: CWE-22
    epss-score: 0.9389
    epss-percentile: 0.99864
    cpe: cpe:2.3:a:zimbra:collaboration:8.8.15:-:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: zimbra
    product: collaboration
    shodan-query:
      - http.favicon.hash:"1624375939"
      - http.html:"Zimbra Collaboration Suite Web Client"
    fofa-query: icon_hash="1624375939"
  tags: cve,cve2022,zimbra,kev,file-upload,passive,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/js/zimbraMail/share/model/ZmSettings.js"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Zimbra Collaboration Suite Web Client"

      - type: word
        part: content_type
        words:
          - "application/x-javascript"

      - type: word
        part: body
        words:
          - "8.8.15"
          - "9.0"
        condition: or

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - 'CLIENT_VERSION",\s*{type:ZmSetting\.T_CONFIG,\s*defaultValue:"(.*?)"'
# digest: 4a0a0047304502203f3dd959f54001fce46182466733e2132804792314e55ea6f0561008c85bc0a10221009e47ee1e8910d1f9f1218e99a0eb987826222420713d55fa7aecdc93612262a9:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-41352.yaml

相关漏洞推荐