CVE-2021-35209

Exploit

EPSS 2.45%
Veröffentlicht 02.07.2021 19:15:08
Zuletzt bearbeitet 21.11.2024 06:12:03
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.x before 9.0.0 Patch 16. The value of the X-Host header overwrites the value of the Host header in proxied requests. The value of X-Host header is not checked against the whitelist of hosts Zimbra is allowed to proxy to (the zimbraProxyAllowedDomains setting).

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Zimbra ≫ Collaboration Version >= 8.8 < 8.8.15

Zimbra ≫ Collaboration Version8.8.15 Update-

Zimbra ≫ Collaboration Version8.8.15 Updatep1

Zimbra ≫ Collaboration Version8.8.15 Updatep10

Zimbra ≫ Collaboration Version8.8.15 Updatep11

Zimbra ≫ Collaboration Version8.8.15 Updatep12

Zimbra ≫ Collaboration Version8.8.15 Updatep13

Zimbra ≫ Collaboration Version8.8.15 Updatep14

Zimbra ≫ Collaboration Version8.8.15 Updatep15

Zimbra ≫ Collaboration Version8.8.15 Updatep16

Zimbra ≫ Collaboration Version8.8.15 Updatep17

Zimbra ≫ Collaboration Version8.8.15 Updatep18

Zimbra ≫ Collaboration Version8.8.15 Updatep19

Zimbra ≫ Collaboration Version8.8.15 Updatep2

Zimbra ≫ Collaboration Version8.8.15 Updatep3

Zimbra ≫ Collaboration Version8.8.15 Updatep4

Zimbra ≫ Collaboration Version8.8.15 Updatep5

Zimbra ≫ Collaboration Version8.8.15 Updatep6

Zimbra ≫ Collaboration Version8.8.15 Updatep7

Zimbra ≫ Collaboration Version8.8.15 Updatep8

Zimbra ≫ Collaboration Version8.8.15 Updatep9

Zimbra ≫ Collaboration Version9.0.0 Update-

Zimbra ≫ Collaboration Version9.0.0 Updatep1

Zimbra ≫ Collaboration Version9.0.0 Updatep10

Zimbra ≫ Collaboration Version9.0.0 Updatep11

Zimbra ≫ Collaboration Version9.0.0 Updatep12

Zimbra ≫ Collaboration Version9.0.0 Updatep2

Zimbra ≫ Collaboration Version9.0.0 Updatep3

Zimbra ≫ Collaboration Version9.0.0 Updatep4

Zimbra ≫ Collaboration Version9.0.0 Updatep5

Zimbra ≫ Collaboration Version9.0.0 Updatep6

Zimbra ≫ Collaboration Version9.0.0 Updatep7

Zimbra ≫ Collaboration Version9.0.0 Updatep8

Zimbra ≫ Collaboration Version9.0.0 Updatep9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.45%	0.848

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Vendor Advisory

https://wiki.zimbra.com/wiki/Security_Center

Vendor Advisory

Release Notes

https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23

Vendor Advisory

Release Notes

https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16

Vendor Advisory

Release Notes

https://blog.sonarsource.com/zimbra-webmail-compromise-via-email