Zimbra Collaboration Suite ProxyServlet Vulnerability
CVE-2021-35209

9.8CRITICAL

Key Information:

Vendor

Zimbra

Status
Collaboration
Vendor
CVE Published:
2 July 2021

What is CVE-2021-35209?

A vulnerability in Zimbra Collaboration Suite's ProxyServlet allows the X-Host header value to override the Host header in proxied requests. This flaw exists in versions prior to 8.8.15 Patch 23 and 9.0.0 Patch 16, where the X-Host header is not validated against a whitelist of permissible hostnames. This oversight can potentially lead to unauthorized access or compromise of the Zimbra system by allowing malicious proxies to direct traffic without proper checks. Admins are encouraged to review and apply the latest patches to mitigate this risk.

References

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
x_refsource_MISC
https://wiki.zimbra.com/wiki/Security_Center
x_refsource_MISC
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.