CVE-2024-27442

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. The zmmailboxdmgr binary, a component of ZCS, is intended to be executed by the zimbra user with root privileges for specific mailbox operations. However, an attacker can escalate privileges from the zimbra user to root, because of improper handling of input arguments. An attacker can execute arbitrary commands with elevated privileges, leading to local privilege escalation.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes	Release Notes
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes	Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zimbra:collaboration::::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:-::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p0::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p1::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p10::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p11::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p12::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p13::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p14::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p15::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p16::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p19::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p2::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p20::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p21::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p23::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p24::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p24.1::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p25::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p26::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p27::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p3::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p30::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p31::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p32::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p33::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p34::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p35::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p36::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p37::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p38::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p4::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p5::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p6::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p7::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p7.1::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p8::::::
	cpe:2.3:a:zimbra:collaboration:9.0.0:p9::::::

History

13 Aug 2024, 17:30

Type	Values Removed	Values Added
CWE		CWE-755
References	~~() https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes -~~	() https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Security_Fixes - Release Notes
References	~~() https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes -~~	() https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes - Release Notes
CPE		cpe:2.3:a:zimbra:collaboration:9.0.0:p27:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p14:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p21:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p19:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p12:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p1:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p10:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p3:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p16:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p11:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p5:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p9:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p30:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p38:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p34:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p20:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p35:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p7.1:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p4:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p2:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p36:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p7:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:-:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p31:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p24.1:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p24:::::: cpe:2.3:a:zimbra:collaboration:::::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p15:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p0:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p25:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p13:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p33:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p8:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p6:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p32:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p37:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p23:::::: cpe:2.3:a:zimbra:collaboration:9.0.0:p26::::::
First Time		Zimbra collaboration Zimbra

13 Aug 2024, 15:35

Type	Values Removed	Values Added
Summary		(es) Se descubrió un problema en Zimbra Collaboration (ZCS) 9.0 y 10.0. El binario zmmailboxdmgr, un componente de ZCS, está manipulado para que lo ejecute el usuario de zimbra con privilegios de root para operaciones específicas del buzón. Sin embargo, un atacante puede escalar privilegios del usuario de zimbra al root debido al manejo inadecuado de los argumentos de entrada. Un atacante puede ejecutar comandos arbitrarios con privilegios elevados, lo que lleva a una escalada de privilegios locales.
CWE		CWE-269
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8

12 Aug 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-12 15:15

Updated : 2024-08-13 17:30

NVD link : CVE-2024-27442

Mitre link : CVE-2024-27442

CVE.ORG link : CVE-2024-27442

JSON object : View

Products Affected

zimbra

collaboration

CWE

CWE-755

Improper Handling of Exceptional Conditions

CWE-269

Improper Privilege Management

7.8 /10