CVE-2022-26562 - OpenCVE

An issue in provider/libserver/ECKrbAuth.cpp of Kopano Core <= v11.0.2.51 contains an issue which allows attackers to authenticate even if the user account or password is expired. It also exists in the predecessor Zarafa Collaboration Platform (ZCP) in provider/libserver/ECPamAuth.cpp of Zarafa >= 6.30 (introduced between 6.30.0 RC1e and 6.30.8 final).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Kopano	Groupware Core

Configuration 1 [-]

cpe:2.3:a:kopano:groupware_core:11.0.2.51:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-342b96903b
https://bugzilla.redhat.com/show_bug.cgi?id=2192126
https://github.com/Kopano-dev/kopano-core/blob/master/provider/libserver/ECKrbAuth.cpp#L137
https://jira.kopano.io/browse/KC-2021
https://kopano.com/
https://lists.debian.org/debian-lts-announce/2023/03/msg00006.html
https://src.fedoraproject.org/rpms/zarafa/c/a5a8366ccf07f248fae6edffb5123cfda579bfdb?branch=epel7
https://stash.kopano.io/projects/KC/repos/kopanocore/browse/provider/libserver/ECKrbAuth.cpp#137

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-04-01T00:00:00

Updated: 2024-08-03T05:03:32.956Z

Reserved: 2022-03-07T00:00:00

Link: CVE-2022-26562

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-04-01T20:15:08.227

Modified: 2023-05-11T16:15:09.383

Link: CVE-2022-26562

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-26562", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T05:03:32.956Z", "dateReserved": "2022-03-07T00:00:00", "datePublished": "2022-04-01T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-05-11T00:00:00"}, "descriptions": [{"lang": "en", "value": "An issue in provider/libserver/ECKrbAuth.cpp of Kopano Core <= v11.0.2.51 contains an issue which allows attackers to authenticate even if the user account or password is expired. It also exists in the predecessor Zarafa Collaboration Platform (ZCP) in provider/libserver/ECPamAuth.cpp of Zarafa >= 6.30 (introduced between 6.30.0 RC1e and 6.30.8 final)."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://kopano.com/"}, {"url": "https://stash.kopano.io/projects/KC/repos/kopanocore/browse/provider/libserver/ECKrbAuth.cpp#137"}, {"name": "[debian-lts-announce] 20230306 [SECURITY] [DLA 3354-1] kopanocore security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00006.html"}, {"url": "https://jira.kopano.io/browse/KC-2021"}, {"url": "https://github.com/Kopano-dev/kopano-core/blob/master/provider/libserver/ECKrbAuth.cpp#L137"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2192126"}, {"url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-342b96903b"}, {"url": "https://src.fedoraproject.org/rpms/zarafa/c/a5a8366ccf07f248fae6edffb5123cfda579bfdb?branch=epel7"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:03:32.956Z"}, "title": "CVE Program Container", "references": [{"url": "https://kopano.com/", "tags": ["x_transferred"]}, {"url": "https://stash.kopano.io/projects/KC/repos/kopanocore/browse/provider/libserver/ECKrbAuth.cpp#137", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20230306 [SECURITY] [DLA 3354-1] kopanocore security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00006.html"}, {"url": "https://jira.kopano.io/browse/KC-2021", "tags": ["x_transferred"]}, {"url": "https://github.com/Kopano-dev/kopano-core/blob/master/provider/libserver/ECKrbAuth.cpp#L137", "tags": ["x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2192126", "tags": ["x_transferred"]}, {"url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-342b96903b", "tags": ["x_transferred"]}, {"url": "https://src.fedoraproject.org/rpms/zarafa/c/a5a8366ccf07f248fae6edffb5123cfda579bfdb?branch=epel7", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kopano:groupware_core:11.0.2.51:*:*:*:*:*:*:*", "matchCriteriaId": "8F6F7889-96DC-4CD1-8BD1-7C4014696CA9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in provider/libserver/ECKrbAuth.cpp of Kopano Core <= v11.0.2.51 contains an issue which allows attackers to authenticate even if the user account or password is expired. It also exists in the predecessor Zarafa Collaboration Platform (ZCP) in provider/libserver/ECPamAuth.cpp of Zarafa >= 6.30 (introduced between 6.30.0 RC1e and 6.30.8 final)."}, {"lang": "es", "value": "Un problema en el archivo provider/libserver/ECKrbAuth.cpp de Kopano-Core versi\u00f3n v11.0.2.51, contiene un problema que permite a atacantes autenticarse incluso si la cuenta de usuario o la contrase\u00f1a han caducado"}], "id": "CVE-2022-26562", "lastModified": "2023-05-11T16:15:09.383", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-01T20:15:08.227", "references": [{"source": "cve@mitre.org", "url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-342b96903b"}, {"source": "cve@mitre.org", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2192126"}, {"source": "cve@mitre.org", "url": "https://github.com/Kopano-dev/kopano-core/blob/master/provider/libserver/ECKrbAuth.cpp#L137"}, {"source": "cve@mitre.org", "url": "https://jira.kopano.io/browse/KC-2021"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://kopano.com/"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00006.html"}, {"source": "cve@mitre.org", "url": "https://src.fedoraproject.org/rpms/zarafa/c/a5a8366ccf07f248fae6edffb5123cfda579bfdb?branch=epel7"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://stash.kopano.io/projects/KC/repos/kopanocore/browse/provider/libserver/ECKrbAuth.cpp#137"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}