Improper Authentication in kopano-core - CVE-2022-26562
Published: August 20, 2023
Vulnerability identifier: #VU79724
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-26562
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Kopano
Affected software:
kopano-core
kopano-core
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in provider/libserver/ECKrbAuth.cpp. A remote attacker can bypass authentication process and successfully login with an expired account or password.
How to mitigate CVE-2022-26562
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Sources
- https://stash.kopano.io/projects/KC/repos/kopanocore/browse/provider/libserver/ECKrbAuth.cpp#137
- https://lists.debian.org/debian-lts-announce/2023/03/msg00006.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2192126
- https://jira.kopano.io/browse/KC-2021
- https://src.fedoraproject.org/rpms/zarafa/c/a5a8366ccf07f248fae6edffb5123cfda579bfdb?branch=epel7
- https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-342b96903b
- https://github.com/Kopano-dev/kopano-core/blob/master/provider/libserver/ECKrbAuth.cpp#L137