Security Bulletin 23B30930
Original creation path can be disclosed in a .ZED container
Medium
Security Bulletin 23B30930
CVE-2023-50439
12/13/2023
SUMMARY
Analyzing a .ZED container can lead to the disclosure of the original path in which it was created. It allows an unauthenticated attacker to obtain some information regarding the context of use (project name, etc.).
CVSS SCORE: BASE 5.3
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges required (PR): None (N)
- User interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): None (N)
- Availability (A): None (N)
DETAILS
- CVEID: 2023-50439 (created on 12/10/2023)
AFFECTED PRODUCTS AND VERSIONS
- ZED! Enterprise for Windows version prior to 2023.5, including versions Q.2020.1, Q.2020.2 and Q.2021.1
- ZED! features in ZONECENTRAL for Windows version prior to 2023.5, including versions Q.2021.1
- ZED! features in ZEDMAIL for Windows version prior to 2023.5
SOLUTIONS AND RECOMMENDATIONS
Depending on your solution, upgrade to one of the following versions:
- ZED! Enterprise for Windows version Q.2020.3 (version validated by ANSSI)
- ZED! Enterprise for Windows version Q.2021.2 (version validated by ANSSI)
- ZED! Enterprise for Windows minimal version 2023.5
- ZED! features in ZONECENTRAL for Windows version Q.2021.2 (version validated by ANSSI)
- ZED! features in ZONECENTRAL for Windows minimal version 2023.5
- ZED! features in ZEDMAIL for Windows minimal version 2023.5
For more information, contact support[@]primx[.]eu.
ACKNOWLEDGEMENTS
ANSSI
