Security Bulletin 23B30874
User sensitive information can be disclosed in a .ZED container
High
Security Bulletin 23B30874
CVE-2023-50444
12/13/2023
SUMMARY
Attacking .ZED container metadata via brute force can lead to the disclosure of user sensitive information included by default in .ZED containers if the user password complexity does not follow common practices.
CVSS SCORE: BASE 8.7
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H)
- Privileges required (PR): none (N)
- User interaction (UI): none (N)
- Scope (S): changed (C)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): none (N)
DETAILS
- CVEID: 2023-50444 (created on 12/10/2023)
AFFECTED PRODUCTS AND VERSIONS
- ZED! Enterprise for Windows version prior to 2023.5, including versions Q.2020.1, Q.2020.2 and Q.2021.1
- ZED! features in ZONECENTRAL for Windows version prior to 2023.5, including versions Q.2021.1
- ZED! features in ZEDMAIL for Windows version prior to 2023.5
SOLUTIONS AND RECOMMENDATIONS
Depending on your solution, upgrade to one of the following versions:
- ZED! Enterprise for Windows version Q.2020.3 (version validated by ANSSI)
- ZED! Enterprise for Windows version Q.2021.2 (version validated by ANSSI)
- ZED! Enterprise for Windows minimal version 2023.5
- ZED! features in ZONECENTRAL for Windows version Q.2021.2 (version validated by ANSSI)
- ZED! features in ZONECENTRAL for Windows minimal version 2023.5
- ZED! features in ZEDMAIL for Windows minimal version 2023.5
For more information, contact support[@]primx[.]eu.
ACKNOWLEDGEMENTS
ANSSI
