CVE-2020-12846

03.06.2020, 17:15

Zimbra before 8.8.15 Patch 10 and 9.x before 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of /service/upload servlet in the webmail subsystem. A user can upload executable files (exe,sh,bat,jar) in the Contact section of the mailbox as an avatar image for a contact. A user will receive a "Corrupt File" error, but the file is still uploaded and stored locally in /opt/zimbra/data/tmp/upload/, leaving it open to possible remote execution.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 93%

Vendor	Product	Version
synacor	zimbra_collaboration_suite	𝑥 < 8.8.15
synacor	zimbra_collaboration_suite	8.8.15
synacor	zimbra_collaboration_suite	8.8.15:p1
synacor	zimbra_collaboration_suite	8.8.15:p2
synacor	zimbra_collaboration_suite	8.8.15:p3
synacor	zimbra_collaboration_suite	8.8.15:p4
synacor	zimbra_collaboration_suite	8.8.15:p5
synacor	zimbra_collaboration_suite	8.8.15:p6
synacor	zimbra_collaboration_suite	8.8.15:p7
synacor	zimbra_collaboration_suite	8.8.15:p8
synacor	zimbra_collaboration_suite	8.8.15:p9
synacor	zimbra_collaboration_suite	9.0.0
synacor	zimbra_collaboration_suite	9.0.0:p1
synacor	zimbra_collaboration_suite	9.0.0:p2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-434 - Unrestricted Upload of File with Dangerous Type
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

References

https://wiki.zimbra.com/wiki/Security_Center

https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P3

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

https://wiki.zimbra.com/wiki/Security_Center

https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P3

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories