CVE-2022-37393

Summary

Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root.

Affected Software

VendorProductVersion RangeStatus
SynacorZimbra Server9.0.0.p27 <= 9.0.0.p27affected
SynacorZimbra Server8.8.15.p34 <= 8.8.15.p34affected

Weaknesses

  • CWE-284: CWE-284 Improper Access Control

ADP Enrichment

CVE Program Container

Additional References

References