Zimbra Collaboration LDAP Injection Vulnerability in Mailbox SOAP Service

An LDAP injection vulnerability has been identified in the Mailbox SOAP service of Zimbra Collaboration (ZCS) versions 10.0 and 10.1. This vulnerability occurs within the FolderAction operation, where the application fails to properly sanitize user-supplied input before it is incorporated into an LDAP search filter. As a result, an authenticated attacker can exploit this issue by sending a crafted SOAP request that manipulates the LDAP query, potentially leading to the retrieval of sensitive directory attributes.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of LDAP queries, which could result in the disclosure of sensitive directory information.

Remediation

Users can upgrade to ZCS versions 10.1.13 or 10.0.18, both of which include the necessary security fix. Instructions for upgrading can be found on the Zimbra Releases page.