[Users] Zimbra vulnerability fix in the new patches released today

Fabio S. Schmidt fabio at bktech.com.br
Thu Jun 4 04:51:15 CEST 2020


Hello Guys, 

Have you seen the 8.8.15 P10 and 9.0 P3 patches released today? 

[ https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P3 | https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P3 ] 
[ https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P10 | https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P10 ] 

There is a fix for this vulnerabity mentioned: 

[ https://vulmon.com/vulnerabilitydetails?valert=email&qid=CVE-2020-12846 | https://vulmon.com/vulnerabilitydetails?valert=email&qid=CVE-2020-12846 ] 

Zimbra prior to 8.8.15 Patch 10 and 9.x prior to 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of /service/upload servlet in the webmail subsystem. A user can upload executable files (exe,sh,bat,jar) in the Contact section of the mailbox as an avatar image for a contact. A user will receive a "Corrupt File" error, but the file is still uploaded and stored locally in /opt/zimbra/data/tmp/upload/, leaving it open to possible remote execution. 

Did any partner receive a warning from Zimbra about this before the patches were released? 

Best regards. 
Fabio S. Schmidt 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20200603/e6fe6c63/attachment.html>


More information about the Users mailing list