CVE-2022-35508 : Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) are vulnerable

Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) are vulnerable to SSRF when proxying HTTP requests between pve(pmg)proxy and pve(pmg)daemon. An attacker with an unprivileged account can craft an HTTP request to achieve SSRF and file disclosure of any files on the server. Also, in Proxmox Mail Gateway, privilege escalation to the root@pam account is possible if the backup feature has ever been used, because backup files such as pmg-backup_YYYY_MM_DD_*.tgz have 0644 permissions and contain an authkey value. This is fixed in pve-http-server 4.1-3.

Published 2022-12-04 19:15:10

Updated 2025-04-24 16:15:21

Source MITRE

View at NVD, CVE.org

Vulnerability category: Server-side request forgery (SSRF) Gain privilege

Products affected by CVE-2022-35508

Proxmox » Proxmox Mail Gateway » Version: N/A
cpe:2.3:a:proxmox:proxmox_mail_gateway:-:*:*:*:*:*:*:*
Matching versions
Proxmox » Virtual Environment » Version: N/A
cpe:2.3:a:proxmox:virtual_environment:-:*:*:*:*:*:*:*
Matching versions
Proxmox » Pve Http Server
Versions before (<) 4.1-3
cpe:2.3:a:proxmox:pve_http_server:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-35508

EPSS FAQ

0.12%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 28 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-35508

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-04-24
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-35508

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2022-35508

https://starlabs.sg/blog/2022/12-multiple-vulnerabilites-in-proxmox-ve--proxmox-mail-gateway/

Multiple Vulnerabilities in Proxmox VE & Proxmox Mail Gateway | STAR Labs
Exploit;Patch;Technical Description;Third Party Advisory

CVEs referencing this url
https://git.proxmox.com/?p=pve-http-server.git%3Ba=commitdiff%3Bh=c2bd69c7b5e9c775f96021cf8ae53da3dbd9029d
https://git.proxmox.com/?p=pve-http-server.git;a=commitdiff;h=580d540ea907ba15f64379c5bb69ecf1a49a875f

git.proxmox.com Git - pve-http-server.git/commitdiff
Patch;Third Party Advisory
https://git.proxmox.com/?p=pve-http-server.git%3Ba=commitdiff%3Bh=580d540ea907ba15f64379c5bb69ecf1a49a875f

git.proxmox.com Git
https://git.proxmox.com/?p=pve-http-server.git;a=commitdiff;h=c2bd69c7b5e9c775f96021cf8ae53da3dbd9029d

git.proxmox.com Git - pve-http-server.git/commitdiff
Patch;Third Party Advisory
https://git.proxmox.com/?p=pve-http-server.git;a=commitdiff;h=e9df8a6e76b2a18f89295a5d92a62177bbf0f762

git.proxmox.com Git - pve-http-server.git/commitdiff
Patch;Third Party Advisory
https://git.proxmox.com/?p=pve-http-server.git%3Ba=commitdiff%3Bh=e9df8a6e76b2a18f89295a5d92a62177bbf0f762

git.proxmox.com Git

Jump to

Vulnerability Details : CVE-2022-35508

Products affected by CVE-2022-35508

Exploit prediction scoring system (EPSS) score for CVE-2022-35508

CVSS scores for CVE-2022-35508

CWE ids for CVE-2022-35508

References for CVE-2022-35508