mailcow is vulnerable to shell command injection via xoauth2 authentication in imapsync
CVE-2023-26490

7.3HIGH

Key Information:

Vendor: Mailcow
Status: Mailcow-dockerized
Vendor: CVE Published:; 4 March 2023

What is CVE-2023-26490?

A vulnerability exists in the Mailcow email package, wherein the Sync Job feature may allow a malicious user with the necessary permissions to exploit a shell command injection flaw. This issue arises when user passwords are inadequately validated before being used in shell commands, granting potential shell access to the dovecot Docker container. While Mailcow's default account permissions do not include necessary access, users should immediately apply the provided fix from the March 2023 update or alternatively restrict Sync Job permissions for all mailbox users to mitigate this risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

mailcow-dockerized < 2023-03

References

https://github.com/mailcow/mailcow-dockerized/security/ad...

x_refsource_CONFIRM

https://github.com/mailcow/mailcow-dockerized/releases/ta...

x_refsource_MISC

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 4, 2023
Vulnerability Reserved
Feb 23, 2023

JSON

Mailcow