CVE-2022-37393
Summary
| CVE | CVE-2022-37393 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-08-16 20:15:00 UTC |
| Updated | 2022-08-18 17:12:00 UTC |
| Description | Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root. |
Risk And Classification
Problem Types: NVD-CWE-noinfo
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Zimbra | Collaboration | 8.7.10 | All | All | All |
| Application | Zimbra | Collaboration | 8.7.11 | - | All | All |
| Application | Zimbra | Collaboration | 8.7.11 | p1 | All | All |
| Application | Zimbra | Collaboration | 8.7.11 | p10 | All | All |
| Application | Zimbra | Collaboration | 8.7.11 | p11 | All | All |
| Application | Zimbra | Collaboration | 8.7.11 | p12 | All | All |
| Application | Zimbra | Collaboration | 8.7.11 | p13 | All | All |
| Application | Zimbra | Collaboration | 8.7.11 | p14 | All | All |
| Application | Zimbra | Collaboration | 8.7.11 | p15 | All | All |
| Application | Zimbra | Collaboration | 8.7.11 | p2 | All | All |
| Application | Zimbra | Collaboration | 8.7.11 | p3 | All | All |
| Application | Zimbra | Collaboration | 8.7.11 | p4 | All | All |
| Application | Zimbra | Collaboration | 8.7.11 | p5 | All | All |
| Application | Zimbra | Collaboration | 8.7.11 | p6 | All | All |
| Application | Zimbra | Collaboration | 8.7.11 | p7 | All | All |
| Application | Zimbra | Collaboration | 8.7.11 | p8 | All | All |
| Application | Zimbra | Collaboration | 8.7.11 | p9 | All | All |
| Application | Zimbra | Collaboration | 8.7.6 | All | All | All |
| Application | Zimbra | Collaboration | 8.7.7 | All | All | All |
| Application | Zimbra | Collaboration | 8.7.9 | All | All | All |
| Application | Zimbra | Collaboration | 8.8.0 | beta1 | All | All |
| Application | Zimbra | Collaboration | 8.8.10 | - | All | All |
| Application | Zimbra | Collaboration | 8.8.10 | p8 | All | All |
| Application | Zimbra | Collaboration | 8.8.11 | - | All | All |
| Application | Zimbra | Collaboration | 8.8.11 | p3 | All | All |
| Application | Zimbra | Collaboration | 8.8.11 | p4 | All | All |
| Application | Zimbra | Collaboration | 8.8.11 | p5 | All | All |
| Application | Zimbra | Collaboration | 8.8.12 | - | All | All |
| Application | Zimbra | Collaboration | 8.8.12 | p3 | All | All |
| Application | Zimbra | Collaboration | 8.8.12 | p4 | All | All |
| Application | Zimbra | Collaboration | 8.8.15 | - | All | All |
| Application | Zimbra | Collaboration | 8.8.15 | p11 | All | All |
| Application | Zimbra | Collaboration | 8.8.15 | p26 | All | All |
| Application | Zimbra | Collaboration | 8.8.15 | p3 | All | All |
| Application | Zimbra | Collaboration | 8.8.15 | p30 | All | All |
| Application | Zimbra | Collaboration | 8.8.15 | p31 | All | All |
| Application | Zimbra | Collaboration | 8.8.15 | p32 | All | All |
| Application | Zimbra | Collaboration | 8.8.15 | p33 | All | All |
| Application | Zimbra | Collaboration | 8.8.15 | p34 | All | All |
| Application | Zimbra | Collaboration | 8.8.15 | p5 | All | All |
| Application | Zimbra | Collaboration | 8.8.2 | All | All | All |
| Application | Zimbra | Collaboration | 8.8.3 | All | All | All |
| Application | Zimbra | Collaboration | 8.8.4 | All | All | All |
| Application | Zimbra | Collaboration | 8.8.6 | All | All | All |
| Application | Zimbra | Collaboration | 8.8.7 | All | All | All |
| Application | Zimbra | Collaboration | 8.8.8 | - | All | All |
| Application | Zimbra | Collaboration | 8.8.8 | p1 | All | All |
| Application | Zimbra | Collaboration | 8.8.8 | p3 | All | All |
| Application | Zimbra | Collaboration | 8.8.8 | p4 | All | All |
| Application | Zimbra | Collaboration | 8.8.8 | p7 | All | All |
| Application | Zimbra | Collaboration | 8.8.9 | - | All | All |
| Application | Zimbra | Collaboration | 8.8.9 | p1 | All | All |
| Application | Zimbra | Collaboration | 8.8.9 | p10 | All | All |
| Application | Zimbra | Collaboration | 8.8.9 | p3 | All | All |
| Application | Zimbra | Collaboration | 9.0.0 | p0 | All | All |
| Application | Zimbra | Collaboration | 9.0.0 | p19 | All | All |
| Application | Zimbra | Collaboration | 9.0.0 | p23 | All | All |
| Application | Zimbra | Collaboration | 9.0.0 | p25 | All | All |
| Application | Zimbra | Collaboration | 9.0.0 | p26 | All | All |
| Application | Zimbra | Collaboration | 9.0.0 | p27 | All | All |
| Application | Zimbra | Collaboration | 9.0.0 | p4 | All | All |
| Application | Zimbra | Collaboration | 9.0.0 | p7 | All | All |
| Application | Zimbra | Collaboration | 9.0.0 | p7.1 | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| CVE-2022-37393 | AttackerKB | MISC | attackerkb.com | |
| Zimbra “zmslapd” Local Root Exploit. – Darren Martyn | MISC | darrenmartyn.ie | |
| New module for 0-day Zimbra privilege escalation ("slapper") by rbowes-r7 · Pull Request #16807 · rapid7/metasploit-framework · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Darren Martyn discovered and disclosed this vulnerability
Legacy QID Mappings
- 379335 Zimbra Collaboration Suite (ZCS) Privilege Escalation Vulnerability (CVE-2022-37393)