Vulnerabilities > CVE-2022-32294 - Incorrect Authorization vulnerability in Zimbra Collaboration 8.8.15
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port). NOTE: a third party reports that this cannot be reproduced.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
References
- https://github.com/soheilsamanabadi/vulnerabilitys/blob/main/Zimbra%208.8.15%20zmprove%20ca%20command
- https://github.com/soheilsamanabadi/vulnerabilitys/blob/main/Zimbra%208.8.15%20zmprove%20ca%20command
- https://github.com/soheilsamanabadi/vulnerabilitys/pull/1
- https://github.com/soheilsamanabadi/vulnerabilitys/pull/1
- https://medium.com/%40soheil.samanabadi/zimbra-8-8-15-zmprove-ca-command-incorrect-access-control-8088032638e
- https://medium.com/%40soheil.samanabadi/zimbra-8-8-15-zmprove-ca-command-incorrect-access-control-8088032638e
- https://wiki.zimbra.com/wiki/Security_Center
- https://wiki.zimbra.com/wiki/Security_Center
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories