Two security vulnerabilities affecting the Mailcow open-source mail server suite have been disclosed, potentially enabling malicious actors to execute arbitrary code on vulnerable instances.
These flaws impact all versions of Mailcow released before April 4, 2024. SonarSource responsibly disclosed the vulnerabilities on March 22, 2024.
The vulnerabilities, rated as Moderate in severity, are detailed as follows:
- CVE-2024-30270 (CVSS score: 6.7) – A path traversal vulnerability in the “rspamd_maps()” function that allows attackers to overwrite files and execute arbitrary commands on the server with the “www-data” user’s permissions.
- CVE-2024-31204 (CVSS score: 6.8) – A cross-site scripting (XSS) vulnerability related to exception handling, specifically when not operating in DEV_MODE. This flaw allows injection of malicious scripts into the admin panel, potentially hijacking sessions and enabling privileged actions.
Mailcow Mail Server Flaws Expose Servers to Remote Code Execution
CVE-2024-30270 CVSS score: 6.7
CVE-2024-31204 CVSS score: 6.8ZoomEye Dorkapp:”Mailcow Mail Server”
About 60,605 results, mainly distributed in Germany, the United States and other countries
check it… https://t.co/kUzB0QgsbI pic.twitter.com/HKhQTZny4S— ZoomEye (@zoomeye_team) June 19, 2024
In practical terms, exploiting Remote Code Execution vulnerabilities could lead to unauthorized access to sensitive data and the execution of commands.
According to SonarSource vulnerability researcher Paul Gerste, “Combining both vulnerabilities allows an attacker to execute arbitrary code on the admin panel server of a vulnerable Mailcow instance. An admin user merely viewing a malicious email within the admin panel is sufficient.”
Mailcow users are strongly advised to update to version 2024-04 or later to mitigate these security risks effectively.
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
