SB2022040120 - Improper authentication in Kopano Core
Published: April 1, 2022 Updated: August 20, 2023
Security Bulletin ID
SB2022040120
Severity
Medium
Patch available
NO
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper Authentication (CVE-ID: CVE-2022-26562)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in provider/libserver/ECKrbAuth.cpp. A remote attacker can bypass authentication process and successfully login with an expired account or password.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://stash.kopano.io/projects/KC/repos/kopanocore/browse/provider/libserver/ECKrbAuth.cpp#137
- https://lists.debian.org/debian-lts-announce/2023/03/msg00006.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2192126
- https://jira.kopano.io/browse/KC-2021
- https://src.fedoraproject.org/rpms/zarafa/c/a5a8366ccf07f248fae6edffb5123cfda579bfdb?branch=epel7
- https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-342b96903b
- https://github.com/Kopano-dev/kopano-core/blob/master/provider/libserver/ECKrbAuth.cpp#L137