CVE-2023-26490

Name of the Vulnerable Software and Affected Versions mailcow versions prior to the 2023-03 Update

Description The Sync Job feature in mailcow, a dockerized email package, suffers from a shell command injection. This allows a malicious user to obtain shell access to the Docker container running dovecot by abusing the vulnerability. The imapsync Perl script, which implements the necessary functionality for this feature, including the XOAUTH2 authentication mechanism, creates a shell command to call openssl. However, since different parts of the specified user password are included without any validation, one can simply execute additional shell commands. The default ACL for a newly-created mailcow account does not include the necessary permission.

Recommendations As a temporary workaround, consider removing the Syncjob ACL from all mailbox users to prevent creating or changing existing Syncjobs. Update to the 2023-03 Update or later to fix the issue.