CVE-2024-45518

Q: What is the severity of CVE-2024-45518?

CVE-2024-45518 has a CVSS score of 8.8 (HIGH). This vulnerability in Zimbra Collaboration allows authenticated users to perform Server-Side Request Forgery (SSRF) attacks due to improper input sanitization and domain whitelisting misconfigurations. Attackers can send unauthorized HTTP requests to internal services, potentially leading to Remote Code Execution (RCE) through command injection chaining. All Zimbra Collaboration installations running affected versions are vulnerable.

8.8 HIGH

Remote Code Execution SSRF

📋 TL;DR

This vulnerability in Zimbra Collaboration allows authenticated users to perform Server-Side Request Forgery (SSRF) attacks due to improper input sanitization and domain whitelisting misconfigurations. Attackers can send unauthorized HTTP requests to internal services, potentially leading to Remote Code Execution (RCE) through command injection chaining. All Zimbra Collaboration installations running affected versions are vulnerable.

💻 Affected Systems

Products:

Zimbra Collaboration Suite (ZCS)

Versions: ZCS 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, 8.8.15 before Patch 46

Operating Systems: Linux (all supported distributions)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access. Vulnerable in default configurations with webmail/administration interfaces enabled.

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra

Collaboration by Zimbra