Difference between revisions of "Zimbra Security Advisories"

(Updates for ZCS 8.7.0 release and other whitespace cleanup along with a few CWE references)
(link scores to nist calculator, other minor updates)
Line 27: Line 27:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br />
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br />
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td>
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td>
<td><!-- 79 -->-</td>
+
<td><!-- XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79] -->-</td>
 
<td>CVE-2016-5721</td>
 
<td>CVE-2016-5721</td>
<td>4.3 <br /> 2.1</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.7.0</td>
 
<td>8.7.0</td>
Line 38: Line 38:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br />
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br />
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td>
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td>
<td><!-- 79 -->-</td>
+
<td><!-- XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79] -->-</td>
 
<td>CVE-2016-3999</td>
 
<td>CVE-2016-3999</td>
<td>4.3</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.7.0</td>
 
<td>8.7.0</td>
Line 48: Line 48:
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td>
<td><!-- 601 -->-</td>
+
<td><!-- [http://cwe.mitre.org/data/definitions/601.html CWE-601] -->-</td>
 
<td>CVE-2016-4019</td>
 
<td>CVE-2016-4019</td>
<td>4.3</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.7.0</td>
 
<td>8.7.0</td>
Line 59: Line 59:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br />
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br />
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td>
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td>
<td><!-- 352 -->-</td>
+
<td><!-- [http://cwe.mitre.org/data/definitions/352.html CWE-352] -->-</td>
 
<td>CVE-2016-3406</td>
 
<td>CVE-2016-3406</td>
<td>2.6</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.7.0</td>
 
<td>8.7.0</td>
Line 69: Line 69:
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td>
<td><!-- 79 -->-</td>
+
<td><!-- XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79] -->-</td>
 
<td>CVE-2016-3407</td>
 
<td>CVE-2016-3407</td>
<td>4.3 <br /> 3.5 <br /> 4.3 <br /> 2.1</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.7.0</td>
 
<td>8.7.0</td>
Line 79: Line 79:
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td>
<td><!-- 79 -->-</td>
+
<td><!-- XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79] -->-</td>
 
<td>CVE-2016-3412</td>
 
<td>CVE-2016-3412</td>
<td>3.5</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.7.0</td>
 
<td>8.7.0</td>
Line 89: Line 89:
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td>
<td><!-- 611 -->-</td>
+
<td><!-- [http://cwe.mitre.org/data/definitions/611.html CWE-611] -->-</td>
 
<td>CVE-2016-3413</td>
 
<td>CVE-2016-3413</td>
<td>2.6</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.7.0</td>
 
<td>8.7.0</td>
Line 99: Line 99:
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td>
<td><!-- 352 -->-</td>
+
<td><!-- [http://cwe.mitre.org/data/definitions/352.html CWE-352] -->-</td>
 
<td>CVE-2016-3405</td>
 
<td>CVE-2016-3405</td>
<td>4.3</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.7.0</td>
 
<td>8.7.0</td>
Line 109: Line 109:
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td>
<td><!-- 352 -->-</td>
+
<td><!-- [http://cwe.mitre.org/data/definitions/352.html CWE-352] -->-</td>
 
<td>CVE-2016-3404</td>
 
<td>CVE-2016-3404</td>
<td>4.3</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.7.0</td>
 
<td>8.7.0</td>
Line 119: Line 119:
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /> [https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td>
<td><!-- 79 -->-</td>
+
<td><!-- XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79] -->-</td>
 
<td>CVE-2016-3410</td>
 
<td>CVE-2016-3410</td>
<td>4.3</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.7.0</td>
 
<td>8.7.0</td>
Line 129: Line 129:
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td>
<td><!-- 79 -->-</td>
+
<td><!-- XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79] -->-</td>
 
<td>CVE-2016-3411</td>
 
<td>CVE-2016-3411</td>
<td>3.5</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.7.0</td>
 
<td>8.7.0</td>
Line 139: Line 139:
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td>
<td><!-- 79 -->-</td>
+
<td><!-- XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79] -->-</td>
 
<td>CVE-2016-3409</td>
 
<td>CVE-2016-3409</td>
<td>4.3</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.7.0</td>
 
<td>8.7.0</td>
Line 151: Line 151:
 
<td>[https://cwe.mitre.org/data/definitions/502.html CWE-502]</td>
 
<td>[https://cwe.mitre.org/data/definitions/502.html CWE-502]</td>
 
<td>CVE-2016-3415</td>
 
<td>CVE-2016-3415</td>
<td>5.8</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
 
<td>Major</td>
 
<td>Major</td>
 
<td>8.7.0</td>
 
<td>8.7.0</td>
Line 169: Line 169:
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td>
<td>-</td>
+
<td><!-- [https://cwe.mitre.org/data/definitions/674.html CWE-674] -->-</td>
 
<td>CVE-2016-3414</td>
 
<td>CVE-2016-3414</td>
<td>4.0</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.6.0 Patch7 <br /> 8.7.0</td>
 
<td>8.6.0 Patch7 <br /> 8.7.0</td>
Line 179: Line 179:
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td>
<td>-</td>
+
<td><!-- XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79] -->-</td>
 
<td>CVE-2016-3408</td>
 
<td>CVE-2016-3408</td>
<td>4.3</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.7.0</td>
 
<td>8.7.0</td>
Line 189: Line 189:
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td>
<td>-</td>
+
<td><!-- [http://cwe.mitre.org/data/definitions/352.html CWE-352] -->-</td>
 
<td>CVE-2016-3403</td>
 
<td>CVE-2016-3403</td>
<td>6.8</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td>
 
<td>Major</td>
 
<td>Major</td>
 
<td>8.7.0</td>
 
<td>8.7.0</td>
Line 199: Line 199:
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td>
<td>-</td>
+
<td><!-- [http://cwe.mitre.org/data/definitions/284.html CWE-284]  [http://cwe.mitre.org/data/definitions/203.html CWE-203] -->-</td>
 
<td>CVE-2016-3401</td>
 
<td>CVE-2016-3401</td>
<td>3.5</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.7.0</td>
 
<td>8.7.0</td>
Line 209: Line 209:
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td>
<td>-</td>
+
<td><!-- [http://cwe.mitre.org/data/definitions/203.html CWE-203] -->-</td>
 
<td>CVE-2016-3402</td>
 
<td>CVE-2016-3402</td>
<td>2.6</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.7.0</td>
 
<td>8.7.0</td>
Line 221: Line 221:
 
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>CVE-2015-7609</td>
 
<td>CVE-2015-7609</td>
<td>6.4 <br /> (2.3)</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td>
 
<td>Major</td>
 
<td>Major</td>
 
<td>8.6.0 Patch5 <br /> 8.7.0</td>
 
<td>8.6.0 Patch5 <br /> 8.7.0</td>
Line 231: Line 231:
 
<td>[https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>[https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>CVE-2015-2249</td>
 
<td>CVE-2015-2249</td>
<td>3.5</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.6.0 Patch5 <br /> 8.7.0</td>
 
<td>8.6.0 Patch5 <br /> 8.7.0</td>
Line 240: Line 240:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td>
 
<td>XSS Vuln in YUI components in ZCS</td>
 
<td>XSS Vuln in YUI components in ZCS</td>
<td style="white-space:nowrap">CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td>
+
<td>n/a</td>
 
<td>4.3</td>
 
<td>4.3</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.6.0 Patch5</td>
 
<td>8.6.0 Patch5</td>
<td>Upstream</td>
+
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td>
 
</tr>
 
</tr>
  
Line 251: Line 251:
 
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>CVE-2015-2249</td>
 
<td>CVE-2015-2249</td>
<td>4.3</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.6.0 Patch2 <br /> 8.7.0</td>
 
<td>8.6.0 Patch2 <br /> 8.7.0</td>
Line 259: Line 259:
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td>
<td>Reflected XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
+
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td>
 
<td>CVE-2015-2230</td>
 
<td>CVE-2015-2230</td>
<td>3.5</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.6.0 Patch2</td>
 
<td>8.6.0 Patch2</td>
Line 271: Line 271:
 
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td>
 
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td>
 
<td>CVE-2014-8563</td>
 
<td>CVE-2014-8563</td>
<td>5.8</td>
+
<td>[http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
 
<td>Major</td>
 
<td>Major</td>
 
<td>8.0.9 <br /> 8.5.1<br /> 8.6.0</td>
 
<td>8.0.9 <br /> 8.5.1<br /> 8.6.0</td>
Line 281: Line 281:
 
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
 
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td>
 
<td>CVE-2015-6541</td>
 
<td>CVE-2015-6541</td>
<td>5.8</td>
+
<td>[http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td>
 
<td>Major</td>
 
<td>Major</td>
 
<td>8.5.0</td>
 
<td>8.5.0</td>
Line 291: Line 291:
 
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td>
 
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td>
 
<td>CVE-2014-5500</td>
 
<td>CVE-2014-5500</td>
<td>4.3</td>
+
<td>[http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>8.0.8 <br /> 8.5.0</td>
 
<td>8.0.8 <br /> 8.5.0</td>
Line 301: Line 301:
 
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td>
 
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td>
 
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5119 CVE-2013-5119]</td>
 
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5119 CVE-2013-5119]</td>
<td>5.8</td>
+
<td>[http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td>
 
<td>Major</td>
 
<td>Major</td>
 
<td>8.5.0</td>
 
<td>8.5.0</td>
Line 310: Line 310:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td>
 
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td>
 
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td>
<td style="white-space:nowrap">[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td>
+
<td>n/a</td>
 
<td>6.8</td>
 
<td>6.8</td>
 
<td>Major</td>
 
<td>Major</td>
 
<td style="white-space:nowrap">
 
<td style="white-space:nowrap">
 
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td>
 
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td>
<td>Upstream</td>
+
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td>
 
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td>
 
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160]</td>
+
<td>n/a</td>
 
<td>5.0</td>
 
<td>5.0</td>
 
<td>Major</td>
 
<td>Major</td>
 
<td style="white-space:nowrap">
 
<td style="white-space:nowrap">
 
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td>
 
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td>
<td>Upstream</td>
+
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td>
 
<td>Upgrade to OpenSSL 1.0.1f</td>
 
<td>Upgrade to OpenSSL 1.0.1f</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br />  [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br />  [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td>
+
<td>n/a</td>
 
<td>4.3 <br /> 4.3 <br /> 5.8</td>
 
<td>4.3 <br /> 4.3 <br /> 5.8</td>
 
<td>Major</td>
 
<td>Major</td>
 
<td>8.0.7</td>
 
<td>8.0.7</td>
<td>Upstream</td>
+
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td>
<td>Critical Vulnerability</td>
+
<td>[https://cwe.mitre.org/data/definitions/611.html CWE-611]</td>
 
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td>
 
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td>
<td>10.0 <br />  [https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td>
+
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td>
 
<td>Critical</td>
 
<td>Critical</td>
 
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td>
 
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td>
Line 366: Line 366:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td>
 
<td>Patch nginx for CVE-2013-4547</td>
 
<td>Patch nginx for CVE-2013-4547</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td>
+
<td>n/a</td>
 
<td>7.5</td>
 
<td>7.5</td>
 
<td>Major</td>
 
<td>Major</td>
 
<td>7.2.7 <br /> 8.0.7</td>
 
<td>7.2.7 <br /> 8.0.7</td>
<td>Upstream</td>
+
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
Line 378: Line 378:
 
<td style="white-space:nowrap">
 
<td style="white-space:nowrap">
 
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k<br /> Upgrade to JDK 1.7u15+<br /> Upgrade to OpenSSL 1.0.1d</td>
 
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k<br /> Upgrade to JDK 1.7u15+<br /> Upgrade to OpenSSL 1.0.1d</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td>
+
<td>n/a</td>
 
<td>2.6</td>
 
<td>2.6</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td>
 
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td>
<td>Upstream</td>
+
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td>
<td>Local file inclusion via skin/branding feature</td>
+
<td>Local file inclusion via skin/branding feature [http://cwe.mitre.org/data/definitions/22.html CWE-22]</td>
 
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td>
 
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td>
<td>5.0</td>
+
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td>
 
<td>Critical</td>
 
<td>Critical</td>
 
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td>
 
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td>
Line 405: Line 405:
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td>
 
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td>
 
<td>Upgrade to Clamav 0.97.5</td>
 
<td>Upgrade to Clamav 0.97.5</td>
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td>
+
<td>n/a</td>
 
<td>4.3 <br /> 4.3 <br /> 4.3</td>
 
<td>4.3 <br /> 4.3 <br /> 4.3</td>
 
<td>Minor</td>
 
<td>Minor</td>
 
<td>7.2.1</td>
 
<td>7.2.1</td>
<td>Upstream</td>
+
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>

Revision as of 06:14, 9 July 2016

Zimbra Security Advisories

Overview

The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:

Zimbra Collaboration - Security Vulnerability Advisories

(going back to ZCS 7.1.3)

Bug# Summary CVE-ID CVSS
Score
Zimbra
Rating
Fix Release or
Patch Version
Reporter
105001
105174
- CVE-2016-5721 4.3
2.1
Minor 8.7.0 Secu
104552
104703
- CVE-2016-3999 4.3 Minor 8.7.0 Nam Habach
104477 - CVE-2016-4019 4.3 Minor 8.7.0 Zimbra
104294
104456
- CVE-2016-3406 2.6 Minor 8.7.0 Zimbra
104222
104910
105071
105175
- CVE-2016-3407 4.3
3.5
4.3
2.1
Minor 8.7.0 Zimbra
103997
104413
104414
104777
104791
- CVE-2016-3412 3.5 Minor 8.7.0 Zimbra
103996 - CVE-2016-3413 2.6 Minor 8.7.0 Zimbra
103961
104828
- CVE-2016-3405 4.3 Minor 8.7.0 Zimbra
103959 - CVE-2016-3404 4.3 Minor 8.7.0 Zimbra
103956
103995
104475
104838
104839
- CVE-2016-3410 4.3 Minor 8.7.0 Zimbra
103609 - CVE-2016-3411 3.5 Minor 8.7.0 Zimbra
102637 - CVE-2016-3409 4.3 Minor 8.7.0 Peter Nguyen
102276 CWE-502 CVE-2016-3415 5.8 Major 8.7.0 Zimbra
102227 CWE-502 n/a 7.5 Major 8.7.0 Upstream, see
CVE-2015-4852
102029 - CVE-2016-3414 4.0 Minor 8.6.0 Patch7
8.7.0
Zimbra
101813 - CVE-2016-3408 4.3 Minor 8.7.0 Volexity
100899 - CVE-2016-3403 6.8 Major 8.7.0 Sysdream
99810 - CVE-2016-3401 3.5 Minor 8.7.0 Zimbra
99167 - CVE-2016-3402 2.6 Minor 8.7.0 Zimbra
101435
101436
Persistent XSS CWE-79 CVE-2015-7609 6.4
2.3
Major 8.6.0 Patch5
8.7.0
Fortinet's FortiGuard Labs
101559
100133
99854
99914
96973
CWE-79 CVE-2015-2249 3.5 Minor 8.6.0 Patch5
8.7.0
Zimbra
99236 XSS Vuln in YUI components in ZCS n/a 4.3 Minor 8.6.0 Patch5 Upstream, see
CVE-2012-5881
CVE-2012-5882
CVE-2012-5883
98358
98216
98215
Non-Persistent XSS CWE-79 CVE-2015-2249 4.3 Minor 8.6.0 Patch2
8.7.0
Cure53
97625 Non-Persistent XSS CWE-79 CVE-2015-2230 3.5 Minor 8.6.0 Patch2 MWR InfoSecurity
96105 Improper Input Validation CWE-20 CVE-2014-8563 5.8 Major 8.0.9
8.5.1
8.6.0
 -
83547 CSRF Vulnerability CWE-352 CVE-2015-6541 5.8 Major 8.5.0 iSEC Partners, Sysdream
87412
92825
92833
92835
XSS Vulnerabilities CWE-79
(8.0.7 Patch
contains 87412)
CVE-2014-5500 4.3 Minor 8.0.8
8.5.0
 -
83550 Session Fixation CWE-384 CVE-2013-5119 5.8 Major 8.5.0
91484 Patch ZCS8 OpenSSL for CVE-2014-0224 n/a 6.8 Major 8.0.3+Patch
8.0.4+Patch
8.0.5+Patch
8.0.6+Patch
8.0.7+Patch
Upstream, see
CVE-2014-0224
88708 Patch ZCS8 OpenSSL for CVE-2014-0160 n/a 5.0 Major 8.0.3+Patch
8.0.4+Patch
8.0.5+Patch
8.0.6+Patch
8.0.7+Patch
8.0.7
Upstream, see
CVE-2014-0160
85499 Upgrade to OpenSSL 1.0.1f n/a 4.3
4.3
5.8
Major 8.0.7 Upstream, see
CVE-2013-4353
CVE-2013-6449
CVE-2013-6450
84547 CWE-611 CVE-2013-7217 6.4
(not 10.0)
Critical 7.2.2_Patch3
7.2.3_Patch
7.2.4_Patch2
7.2.5_Patch
7.2.6
8.0.3_Patch3
8.0.4_Patch2
8.0.5_Patch
8.0.6
Private
85478 XSS vulnerability in message view - 6.4 Major 8.0.7 Alban Diquet
of iSEC Partners
85411 Local root privilege escalation - 6.2 Major 8.0.7 Matthew David
85000 Patch nginx for CVE-2013-4547 n/a 7.5 Major 7.2.7
8.0.7
Upstream, see
CVE-2013-4547

80450
80131
80445
80132

Upgrade to JDK 1.6 u41
Upgrade OpenSSL to 1.0.0k
Upgrade to JDK 1.7u15+
Upgrade to OpenSSL 1.0.1d
n/a 2.6 Minor 7.2.3
7.2.3
8.0.3
8.0.3
Upstream, see
CVE-2013-0169
80338 Local file inclusion via skin/branding feature CWE-22 CVE-2013-7091 5.0 Critical 6.0.16_Patch
7.1.1_Patch6
7.1.3_Patch3
7.2.2_Patch2
7.2.3
8.0.2_Patch
8.0.3
Private
77655 Separate keystore for CAs used for X509 authentication - 5.8 Major 8.0.7 Private
75424 Upgrade to Clamav 0.97.5 n/a 4.3
4.3
4.3
Minor 7.2.1 Upstream, see
CVE-2012-1457
CVE-2012-1458
CVE-2012-1459
64981 Do not allow HTTP GET for login - 6.8 Major 7.1.3_Patch
7.1.4
Private

Try Zimbra

Try now Zimbra Collaboration without any cost with the 60-day free Trial.
Get it now »

Want to get involved?

You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more.
Go to the YouTube Channel »


Jump to: navigation, search