CVE-2021-35209

An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.x before 9.0.0 Patch 16. The value of the X-Host header overwrites the value of the Host header in proxied requests. The value of X-Host header is not checked against the whitelist of hosts Zimbra is allowed to proxy to (the zimbraProxyAllowedDomains setting).
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
VendorProductVersion
zimbracollaboration
8.8 ≤
𝑥
< 8.8.15
zimbracollaboration
8.8.15
zimbracollaboration
8.8.15:p1
zimbracollaboration
8.8.15:p10
zimbracollaboration
8.8.15:p11
zimbracollaboration
8.8.15:p12
zimbracollaboration
8.8.15:p13
zimbracollaboration
8.8.15:p14
zimbracollaboration
8.8.15:p15
zimbracollaboration
8.8.15:p16
zimbracollaboration
8.8.15:p17
zimbracollaboration
8.8.15:p18
zimbracollaboration
8.8.15:p19
zimbracollaboration
8.8.15:p2
zimbracollaboration
8.8.15:p3
zimbracollaboration
8.8.15:p4
zimbracollaboration
8.8.15:p5
zimbracollaboration
8.8.15:p6
zimbracollaboration
8.8.15:p7
zimbracollaboration
8.8.15:p8
zimbracollaboration
8.8.15:p9
zimbracollaboration
9.0.0
zimbracollaboration
9.0.0:p1
zimbracollaboration
9.0.0:p10
zimbracollaboration
9.0.0:p11
zimbracollaboration
9.0.0:p12
zimbracollaboration
9.0.0:p2
zimbracollaboration
9.0.0:p3
zimbracollaboration
9.0.0:p4
zimbracollaboration
9.0.0:p5
zimbracollaboration
9.0.0:p6
zimbracollaboration
9.0.0:p7
zimbracollaboration
9.0.0:p8
zimbracollaboration
9.0.0:p9
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://blog.sonarsource.com/zimbra-webmail-compromise-via-email
https://wiki.zimbra.com/wiki/Security_Center
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
https://blog.sonarsource.com/zimbra-webmail-compromise-via-email
https://wiki.zimbra.com/wiki/Security_Center
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories