CVE-2022-31138
published 2022-07-11CVE-2022-31138: mailcow is a mailserver suite. Prior to mailcow-dockerized version 2022-06a, an extended privilege vulnerability can be exploited by manipulating the custom…
PriorityP258high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.34%
81.5th percentile
mailcow is a mailserver suite. Prior to mailcow-dockerized version 2022-06a, an extended privilege vulnerability can be exploited by manipulating the custom parameters regexmess, skipmess, regexflag, delete2foldersonly, delete2foldersbutnot, regextrans2, pipemess, or maxlinelengthcmd to execute arbitrary code. Users should update their mailcow instances with the `update.sh` script in the mailcow root directory to 2022-06a or newer to receive a patch for this issue. As a temporary workaround, the Syncjob ACL can be removed from all mailbox users, preventing changes to those settings.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mailcow | mailcow | < 2022-06a | 2022-06a |
| mailcow | mailcow-dockerized | < 2022-06a | 2022-06a |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/ly1g3/Mailcow-CVE-2022-31138https://github.com/mailcow/mailcow-dockerized/commit/d373164e13a14e058f82c9f1918a5612f375a9f9https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-06ahttps://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-vx9w-h33p-5vhchttps://github.com/ly1g3/Mailcow-CVE-2022-31138https://github.com/mailcow/mailcow-dockerized/commit/d373164e13a14e058f82c9f1918a5612f375a9f9https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-06ahttps://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-vx9w-h33p-5vhc
2022-07-11
Published