: Configure your reverse proxy or front-end security handler (such as Nginx or HAProxy) to drop external traffic pointing to raw Zimlet JSP file execution tracks.
[ Unauthenticated Attacker ] │ │ (Crafted HTTP Request with Target URL) ▼ [ Zimbra Web Server (WebEx Zimlet JSP) ] ──( Bypasses Internal Access Controls ) │ ├─────────────────────────────────┐ ▼ ▼ [ Internal Network Services ] [ Cloud Metadata Services (IMDS) ] (Extract System Configuration) (Steal API/IAM Infrastructure Tokens) The Root Cause cve20207796 zimbra collaboration suite full
The vulnerability exists due to insufficient validation of user-supplied URLs within a specific component of the Zimbra application—specifically when the is installed and its JSP (JavaServer Pages) file is enabled. : Configure your reverse proxy or front-end security
We use cookies to ensure you get the best experience on our website.