← volver
CVE-2021-35209

CVE-2021-35209

EPSS 3.0%
An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.x before 9.0.0 Patch 16. The value of the X-Host header overwrites the value of the Host header in proxied requests. The value of X-Host header is not checked against the whitelist of hosts Zimbra is allowed to proxy to (the zimbraProxyAllowedDomains setting).
Productos afectados
n/a · n/a

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://blog.sonarsource.com/zimbra-webmail-compromise-via-emailhttps://wiki.zimbra.com/wiki/Security_Centerhttps://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories