CVE-2020-10194 : cs/service/account/AutoCompleteGal.java in Zimbra zm-mailbox before 8.8.15.p8 al

cs/service/account/AutoCompleteGal.java in Zimbra zm-mailbox before 8.8.15.p8 allows authenticated users to request any GAL account. This differs from the intended behavior in which the domain of the authenticated user must match the domain of the galsync account in the request.

Published 2020-03-20 21:15:17

Updated 2021-07-21 11:39:24

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2020-10194

Zimbra » Zm-mailbox
Versions before (<) 8.8.15
cpe:2.3:a:zimbra:zm-mailbox:*:*:*:*:*:*:*:*
Matching versions
Zimbra » Zm-mailbox » Version: 8.8.15
cpe:2.3:a:zimbra:zm-mailbox:8.8.15:-:*:*:*:*:*:*
Matching versions
Zimbra » Zm-mailbox » Version: 8.8.15 Update Patch1
cpe:2.3:a:zimbra:zm-mailbox:8.8.15:patch1:*:*:*:*:*:*
Matching versions
Zimbra » Zm-mailbox » Version: 8.8.15 Update Patch2
cpe:2.3:a:zimbra:zm-mailbox:8.8.15:patch2:*:*:*:*:*:*
Matching versions
Zimbra » Zm-mailbox » Version: 8.8.15 Update Patch3
cpe:2.3:a:zimbra:zm-mailbox:8.8.15:patch3:*:*:*:*:*:*
Matching versions
Zimbra » Zm-mailbox » Version: 8.8.15 Update Patch4
cpe:2.3:a:zimbra:zm-mailbox:8.8.15:patch4:*:*:*:*:*:*
Matching versions
Zimbra » Zm-mailbox » Version: 8.8.15 Update Patch5
cpe:2.3:a:zimbra:zm-mailbox:8.8.15:patch5:*:*:*:*:*:*
Matching versions
Zimbra » Zm-mailbox » Version: 8.8.15 Update Patch6
cpe:2.3:a:zimbra:zm-mailbox:8.8.15:patch6:*:*:*:*:*:*
Matching versions
Zimbra » Zm-mailbox » Version: 8.8.15 Update Patch7
cpe:2.3:a:zimbra:zm-mailbox:8.8.15:patch7:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-10194

EPSS FAQ

0.24%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 44 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-10194

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:N/I:P/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2020-10194

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-10194

https://github.com/Zimbra/zm-mailbox/pull/1020

ZBUG-1094:Broken GAL search filtering by sneha-patil-synacor · Pull Request #1020 · Zimbra/zm-mailbox · GitHub
Patch;Third Party Advisory
https://github.com/Zimbra/zm-mailbox/commit/1df440e0efa624d1772a05fb6d397d9beb4bda1e

ZBUG-1094:Broken GAL search filtering · Zimbra/zm-mailbox@1df440e · GitHub
Patch;Third Party Advisory
https://github.com/Zimbra/zm-mailbox/compare/8.8.15.p7...8.8.15.p8

Comparing 8.8.15.p7...8.8.15.p8 · Zimbra/zm-mailbox · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-10194

Products affected by CVE-2020-10194

Exploit prediction scoring system (EPSS) score for CVE-2020-10194

CVSS scores for CVE-2020-10194

CWE ids for CVE-2020-10194

References for CVE-2020-10194