CVE-2024-35179

Name of the Vulnerable Software and Affected Versions Stalwart Mail Server versions prior to 0.8.0

Description The issue affects Stalwart Mail Server when using RUN AS USER, allowing the specified user and web interface admins to read arbitrary files as root. This issue impacts administrators who have set up Stalwart Mail Server with RUN AS USER and have handed out admin credentials, expecting these credentials to grant access according to the RUN AS USER settings. In scenarios where attackers achieve Arbitrary Code Execution using another vulnerability, this issue can be exploited.

Recommendations For versions prior to 0.8.0, update to version 0.8.0 to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation. Avoid using the RUN AS USER feature until the issue is resolved by updating to version 0.8.0.