CVE-2022-31138

mailcow is a mailserver suite. Prior to mailcow-dockerized version 2022-06a, an extended privilege vulnerability can be exploited by manipulating the custom parameters regexmess, skipmess, regexflag, delete2foldersonly, delete2foldersbutnot, regextrans2, pipemess, or maxlinelengthcmd to execute arbitrary code. Users should update their mailcow instances with the `update.sh` script in the mailcow root directory to 2022-06a or newer to receive a patch for this issue. As a temporary workaround, the Syncjob ACL can be removed from all mailbox users, preventing changes to those settings.
Configurations

Configuration 1 (hide)

cpe:2.3:a:mailcow:mailcow\:_dockerized:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:03

Type Values Removed Values Added
References () https://github.com/ly1g3/Mailcow-CVE-2022-31138 - Exploit, Third Party Advisory () https://github.com/ly1g3/Mailcow-CVE-2022-31138 - Exploit, Third Party Advisory
References () https://github.com/mailcow/mailcow-dockerized/commit/d373164e13a14e058f82c9f1918a5612f375a9f9 - Patch, Third Party Advisory () https://github.com/mailcow/mailcow-dockerized/commit/d373164e13a14e058f82c9f1918a5612f375a9f9 - Patch, Third Party Advisory
References () https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-06a - Release Notes, Third Party Advisory () https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-06a - Release Notes, Third Party Advisory
References () https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-vx9w-h33p-5vhc - Mitigation, Third Party Advisory () https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-vx9w-h33p-5vhc - Mitigation, Third Party Advisory

Information

Published : 2022-07-11 14:15

Updated : 2024-11-21 07:03


NVD link : CVE-2022-31138

Mitre link : CVE-2022-31138

CVE.ORG link : CVE-2022-31138


JSON object : View

Products Affected

mailcow

  • mailcow\
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')