Improper Authentication in kopano-core - CVE-2022-26562
Published: August 20, 2023
Vulnerability identifier: #VU79724
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-26562
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
kopano-core
kopano-core
Software vendor:
Kopano
Kopano
Description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in provider/libserver/ECKrbAuth.cpp. A remote attacker can bypass authentication process and successfully login with an expired account or password.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
External links
- https://stash.kopano.io/projects/KC/repos/kopanocore/browse/provider/libserver/ECKrbAuth.cpp#137
- https://lists.debian.org/debian-lts-announce/2023/03/msg00006.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2192126
- https://jira.kopano.io/browse/KC-2021
- https://src.fedoraproject.org/rpms/zarafa/c/a5a8366ccf07f248fae6edffb5123cfda579bfdb?branch=epel7
- https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-342b96903b
- https://github.com/Kopano-dev/kopano-core/blob/master/provider/libserver/ECKrbAuth.cpp#L137