PT-2022-20635 · Mailcow · Mailcow

Ly1G3

Published

2022-05-20

Updated

2022-07-26

CVE-2022-31245

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions mailcow versions prior to 2022-05d

Description The issue allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs.

Recommendations For versions prior to 2022-05d, update to a version 2022-05d or later to resolve the issue. As a temporary workaround, consider disabling the --debug option and the ---PIPEMESS option in Sync Jobs until a patch is available. Restrict access to Sync Jobs to minimize the risk of exploitation.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2022-31245

Affected Products

Mailcow

PT-2022-20635 · Mailcow · Mailcow

CVE-2022-31245

Weakness Enumeration

Related Identifiers

Affected Products

References · 8