CVE-2022-31138

Name of the Vulnerable Software and Affected Versions mailcow-dockerized versions prior to 2022-06a

Description The issue concerns an extended privilege vulnerability in mailcow, a mailserver suite. This vulnerability can be exploited by manipulating custom parameters such as regexmess, skipmess, regexflag, delete2foldersonly, delete2foldersbutnot, regextrans2, pipemess, or maxlinelengthcmd to execute arbitrary code.

Recommendations For versions prior to 2022-06a, update the mailcow instance with the update.sh script in the mailcow root directory to 2022-06a or newer to receive a patch for this issue. As a temporary workaround, consider removing the Syncjob ACL from all mailbox users to prevent changes to those settings.