id: CVE-2022-27924

info:
  name: Zimbra Collaboration Suite - Memcached Command Injection
  author: rxerium
  severity: high
  description: |
    Zimbra Collaboration Suite versions 8.8.15 and 9.0 contain a memcached command injection vulnerability that allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance, leading to cache poisoning and potential credential theft.
  impact: |
    Successful exploitation allows attackers to overwrite arbitrary cached entries and steal user credentials in cleartext without user interaction. With valid credentials, attackers can perform spear phishing, social engineering, and business email compromise attacks, or maintain persistent access via webshells.
  remediation: |
    Update to Zimbra Collaboration Suite version 8.8.15 Patch 31 or 9.0.0 Patch 24.1 or later. Implement multi-factor authentication to mitigate credential theft impact.
  reference:
    - https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
    - https://nvd.nist.gov/vuln/detail/CVE-2022-27924
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-27924
    epss-score: 0.90438
    epss-percentile: 0.99622
    cpe: cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: synacor
    product: zimbra_collaboration_suite
    shodan-query:
      - http.title:"zimbra collaboration suite"
  tags: cve,cve2022,zimbra,injection,passive,vuln,kev,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/js/zimbraMail/share/model/ZmSettings.js"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Zimbra Collaboration Suite Web Client"

      - type: word
        part: header
        words:
          - "application/x-javascript"

      - type: word
        words:
          - "8.8.15"
          - "9.0"
        part: version

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: version
        part: body
        group: 1
        regex:
          - 'CLIENT_VERSION\",\s+{type:ZmSetting.T_CONFIG, defaultValue:\"(.*?)"'
# digest: 4b0a00483046022100fd7246bf60e86fc80b4d3d4f14815e34b8f4bf3d1192912e9c326e69f2b77c4602210085ada2aca0332d76374e35342509f2ecf3e4eab2974fd5b89d19f69bd15a11f1:922c64590222798bb761d5b6d8e72950