CVE-2021-35209

Name of the Vulnerable Software and Affected Versions: Zimbra Collaboration Suite versions 8.8.0 through 8.8.15 Patch 22 Zimbra Collaboration Suite versions 9.0.0 through 9.0.0 Patch 15

Description: An issue was discovered in ProxyServlet.java in the /proxy servlet. The value of the X-Host header overwrites the value of the Host header in proxied requests. The value of X-Host header is not checked against the whitelist of hosts Zimbra is allowed to proxy to, which is defined by the zimbraProxyAllowedDomains setting.

Recommendations: For Zimbra Collaboration Suite versions 8.8.0 through 8.8.15 Patch 22, update to version 8.8.15 Patch 23 or later. For Zimbra Collaboration Suite versions 9.0.0 through 9.0.0 Patch 15, update to version 9.0.0 Patch 16 or later. As a temporary workaround, consider restricting the X-Host header to only allow trusted hosts until a patch is applied.