[Users] Zimbra vulnerability fix in the new patches released today
Fabio S. Schmidt
fabio at bktech.com.br
Thu Jun 4 04:51:15 CEST 2020
Hello Guys,
Have you seen the 8.8.15 P10 and 9.0 P3 patches released today?
[ https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P3 | https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P3 ]
[ https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P10 | https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P10 ]
There is a fix for this vulnerabity mentioned:
[ https://vulmon.com/vulnerabilitydetails?valert=email&qid=CVE-2020-12846 | https://vulmon.com/vulnerabilitydetails?valert=email&qid=CVE-2020-12846 ]
Zimbra prior to 8.8.15 Patch 10 and 9.x prior to 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of /service/upload servlet in the webmail subsystem. A user can upload executable files (exe,sh,bat,jar) in the Contact section of the mailbox as an avatar image for a contact. A user will receive a "Corrupt File" error, but the file is still uploaded and stored locally in /opt/zimbra/data/tmp/upload/, leaving it open to possible remote execution.
Did any partner receive a warning from Zimbra about this before the patches were released?
Best regards.
Fabio S. Schmidt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20200603/e6fe6c63/attachment.html>
More information about the Users
mailing list