Host Header Vulnerability in Zimbra Collaboration Suite by Zimbra
CVE-2022-37041

7.5HIGH

Key Information:

Vendor: Zimbra
Status: Collaboration
Vendor: CVE Published:; 11 August 2022

What is CVE-2022-37041?

A security vulnerability exists in the ProxyServlet component of Zimbra Collaboration Suite (ZCS) versions 8.8.15 and 9.0. The flaw occurs due to the unvalidated use of the X-Forwarded-Host header, which is improperly allowed to overwrite the Host header in proxied requests. This oversight means that the value being forwarded is not subjected to an appropriate whitelist check against the zimbraProxyAllowedDomains setting, potentially allowing unauthorized redirection or manipulation of requests that could impact the integrity and security of messaging services within ZCS.

References

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

x_refsource_MISC

https://wiki.zimbra.com/wiki/Security_Center

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 11, 2022
Vulnerability Reserved
Aug 1, 2022