CVE-2022-26562

An issue in provider/libserver/ECKrbAuth.cpp of Kopano Core <= v11.0.2.51 contains an issue which allows attackers to authenticate even if the user account or password is expired. It also exists in the predecessor Zarafa Collaboration Platform (ZCP) in provider/libserver/ECPamAuth.cpp of Zarafa >= 6.30 (introduced between 6.30.0 RC1e and 6.30.8 final).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
VendorProductVersion
kopanogroupware_core
11.0.2.51
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
kopanocore
noble
dne
mantic
dne
lunar
dne
kinetic
ignored
jammy
Fixed 8.7.0-7.1ubuntu10.1
released
impish
ignored
focal
Fixed 8.7.0-7ubuntu1.1
released
bionic
Fixed 8.5.5-0ubuntu1+esm1
released
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-342b96903b
https://bugzilla.redhat.com/show_bug.cgi?id=2192126
https://github.com/Kopano-dev/kopano-core/blob/master/provider/libserver/ECKrbAuth.cpp#L137
https://jira.kopano.io/browse/KC-2021
https://kopano.com/
https://lists.debian.org/debian-lts-announce/2023/03/msg00006.html
https://src.fedoraproject.org/rpms/zarafa/c/a5a8366ccf07f248fae6edffb5123cfda579bfdb?branch=epel7
https://stash.kopano.io/projects/KC/repos/kopanocore/browse/provider/libserver/ECKrbAuth.cpp#137
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-342b96903b
https://bugzilla.redhat.com/show_bug.cgi?id=2192126
https://github.com/Kopano-dev/kopano-core/blob/master/provider/libserver/ECKrbAuth.cpp#L137
https://jira.kopano.io/browse/KC-2021
https://kopano.com/
https://lists.debian.org/debian-lts-announce/2023/03/msg00006.html
https://src.fedoraproject.org/rpms/zarafa/c/a5a8366ccf07f248fae6edffb5123cfda579bfdb?branch=epel7
https://stash.kopano.io/projects/KC/repos/kopanocore/browse/provider/libserver/ECKrbAuth.cpp#137