Security Advisory: Zimbra Community 8.x Security Vulnerability

Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a very specific scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.

Summary: The Zimbra development team has identified a very specific scenario where a user’s password in Community 8 is stored insecurely.

Affected Versions: (unpatched),

Vulnerability Scoring: CVSS: 1.4

Obtaining a fix:

Details: The administrative feature to create users leverages non-public APIs that can force a user’s password to be inadvertently stored insecurely.

Reporter: Alex Crome (Zimbra)

When does this occur?

1. Creating a user through the control panel using Membership Administration (requires administrative privileges)

2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)

If you have any questions or would like assistance with applying the patch, please contact support.

This advisory was originally published here