CVE-2015-3436

Published: Jun 9, 2015Modified: May 6, 2026

6.6

Vector

AV:L/AC:L/Au:N/C:N/I:C/A:C

Exploitability: 3.9 / Impact: 9.2

Source: NVD

Description

provider/server/ECServer.cpp in Zarafa Collaboration Platform (ZCP) before 7.1.13 and 7.2.x before 7.2.1 allows local users to write to arbitrary files via a symlink attack on /tmp/zarafa-upgrade-lock.

Affected (2)

Products: Zarafa: Zarafa Collaboration Platform

Zarafa

1 product

Zarafa Collaboration Platform

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Zarafa Zarafa Collaboration Platform	Up to 7.1.12
Zarafa Zarafa Collaboration Platform	Version 7.2.0

Related CWEs

CWE-59

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References (8)

http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159455.html

Source: cve@mitre.org

http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159497.html

Source: cve@mitre.org

http://www.securityfocus.com/bid/75104

Source: cve@mitre.org

https://jira.zarafa.com/browse/ZCP-13282

Source: cve@mitre.org

http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159455.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159497.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/75104

Source: af854a3a-2127-422b-91ae-364da2661108

https://jira.zarafa.com/browse/ZCP-13282

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.