The US CISA has added Synacor Zimbra vulnerability to its Known Exploited Vulnerabilities Catalog based on the evidence of active exploitation.
The vulnerability tracked as CVE-2024-45519 with a CVSS score of 10 is a command injection vulnerability in Zimbra Collaboration contains an unspecified vulnerability in the postjournal service that may allow an unauthenticated user to execute
The vulnerability stems from unsanitized user input being passed to popen [function] in the unpatched version, enabling attackers to inject arbitrary commands. The latest version introduces input sanitization and replaces popen with execvp, mitigating direct command injection, it’s crucial for administrators to apply the latest patches promptly.
While the postjournal feature may be optional or not enabled on most systems, it is still necessary to apply the provided patch to prevent potential exploitation.
For Zimbra systems where the postjournal feature is not enabled and the patch can not be applied immediately, removing the postjournal binary could be considered as a temporary measure until the patch can be applied
CISA has set deadlines as 24 October 2024 for all federal agencies to remediate the vulnerability
