Looks very similar indeed, this could trick amavis (using cpio) to write files into /opt/zimbra/jetty/webapps/zimbra/public, which contains executable code.
This was initially fixed by installing pax, and later by avoiding cpio altogether.
But the real underlying issue of this –and several other Zimbra vulnerabilities– is that the whole of /opt/zimbra/jetty/webapps is writable for the zimbra user. Hopefully this will be addresses in the future.
This was initially fixed by installing pax, and later by avoiding cpio altogether.
But the real underlying issue of this –and several other Zimbra vulnerabilities– is that the whole of /opt/zimbra/jetty/webapps is writable for the zimbra user. Hopefully this will be addresses in the future.
Statistics: Posted by ghen — Tue Feb 13, 2024 3:23 pm