Impact
An extended privilege vulnerability can be exploited by manipulating the debug argument pipmess or pipemes with command line inputs. CWE defines the issue as CWE-78, and the impact on confidentiality, integrity, and availability is expected.
Workaround
As a temporary workaround the Syncjob ACL can be removed from all mailbox users, preventing from changing those settings.
Solution
Update your mailcow instance with the update.sh script in the mailcow root directory to 2022-05d or newer.
You can check your version after the update in two ways:
- Login into your Admin UI and take a look at the bottom right.
- Do
git describe --tags `git rev-list --tags --max-count=1 in your mailcow root directory after you´ve updated.
References
For more information
If you have any questions or comments about this advisory:
ly1g3 Analyst
Impact
An extended privilege vulnerability can be exploited by manipulating the debug argument pipmess or pipemes with command line inputs. CWE defines the issue as CWE-78, and the impact on confidentiality, integrity, and availability is expected.
Workaround
As a temporary workaround the Syncjob ACL can be removed from all mailbox users, preventing from changing those settings.
Solution
Update your mailcow instance with the
update.shscript in the mailcow root directory to 2022-05d or newer.You can check your version after the update in two ways:
git describe --tags `git rev-list --tags --max-count=1in your mailcow root directory after you´ve updated.References
For more information
If you have any questions or comments about this advisory: