{"id":"CVE-2019-9621","details":"Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.","modified":"2026-03-15T15:06:49.453872Z","published":"2019-04-30T18:29:08.633Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9621"},{"type":"ADVISORY","url":"https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html"},{"type":"ADVISORY","url":"https://blog.zimbra.com/2019/03/9826/"},{"type":"ADVISORY","url":"https://wiki.zimbra.com/wiki/Security_Center"},{"type":"ADVISORY","url":"https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"},{"type":"REPORT","url":"https://bugzilla.zimbra.com/show_bug.cgi?id=109127"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/46693/"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/153190/Zimbra-XML-Injection-Server-Side-Request-Forgery.html"},{"type":"EVIDENCE","url":"http://www.rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rce"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zimbra/zm-build","events":[{"introduced":"0"},{"last_affected":"6c3c77b328a0d7d3bafecb79d202960217922ef0"},{"introduced":"0"},{"last_affected":"99ed312c10c45aa80e08be0c0ecbce46a53a4ace"},{"introduced":"0"},{"last_affected":"bb330ee01d1d1ddfe395bb31076ee6c480fa4a2e"},{"introduced":"0"},{"last_affected":"d077c8d575b8d2ea5ef93331958237b22e42e6f7"},{"introduced":"0"},{"last_affected":"2705a9ca4782dcc4bea5f7d3653c2bf93f8582bb"},{"introduced":"0"},{"last_affected":"0867fcb7263fa9a1130b192d8c8538b05db4eee6"},{"introduced":"0"},{"last_affected":"4a8e4bee73cd2c8e5804788ef5212d0d180f5846"},{"introduced":"0"},{"last_affected":"7b0d4aa4baaf4d62a4858b390856771d30db3c37"},{"introduced":"0"},{"last_affected":"58f5c7adeac0dc81b2286c1b948c97c134587bb9"},{"introduced":"0"},{"last_affected":"9f862bb6fb9bf2e77fbcea7ff62e92986c4044c9"},{"introduced":"0"},{"last_affected":"e4d1e657f1d2a5a5e8c56c11d7da34ef61574591"},{"introduced":"0"},{"last_affected":"5000d7ff7c8650dbfff91678647fabc2bbf0e64b"},{"introduced":"0"},{"last_affected":"5000d7ff7c8650dbfff91678647fabc2bbf0e64b"},{"introduced":"0"},{"last_affected":"5000d7ff7c8650dbfff91678647fabc2bbf0e64b"},{"introduced":"0"},{"last_affected":"14a4dfad173dbbe623229e1a850b7610c76bc280"},{"introduced":"0"},{"last_affected":"31312ceebfeba104e1e2a16c554e734125b911d1"},{"introduced":"0"},{"last_affected":"31312ceebfeba104e1e2a16c554e734125b911d1"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"8.7.11-NA"},{"introduced":"0"},{"last_affected":"8.7.11-patch1"},{"introduced":"0"},{"last_affected":"8.7.11-patch10"},{"introduced":"0"},{"last_affected":"8.7.11-patch2"},{"introduced":"0"},{"last_affected":"8.7.11-patch3"},{"introduced":"0"},{"last_affected":"8.7.11-patch4"},{"introduced":"0"},{"last_affected":"8.7.11-patch5"},{"introduced":"0"},{"last_affected":"8.7.11-patch6"},{"introduced":"0"},{"last_affected":"8.7.11-patch7"},{"introduced":"0"},{"last_affected":"8.7.11-patch8"},{"introduced":"0"},{"last_affected":"8.7.11-patch9"},{"introduced":"0"},{"last_affected":"8.8.9-NA"},{"introduced":"0"},{"last_affected":"8.8.9-patch1"},{"introduced":"0"},{"last_affected":"8.8.9-patch3"},{"introduced":"0"},{"last_affected":"8.8.10-NA"},{"introduced":"0"},{"last_affected":"8.8.11-NA"},{"introduced":"0"},{"last_affected":"8.8.11-patch3"}]}},{"type":"GIT","repo":"https://github.com/zimbra/zm-mailbox","events":[{"introduced":"0"},{"last_affected":"c1d036af2e1c0522fb857c1a9bb3b9581e1ce520"},{"introduced":"0"},{"last_affected":"d3c6ef3616ff8d06555806b60d3a4aa5a3ab6d92"},{"introduced":"0"},{"last_affected":"66b2b24c8346512d4411c40189ec3556029272a7"},{"introduced":"0"},{"last_affected":"7fc2e615338f81e7dde44c98812fb8e93b3a4e1a"},{"introduced":"0"},{"last_affected":"74fe8e472dedcf06295adbdf5f9c16aaf32d275b"},{"introduced":"0"},{"last_affected":"d0c867cad9a285d262b118dad822ae5b20066e62"},{"introduced":"0"},{"last_affected":"c1c811f5970a35a1fe7063e68d662fbbc73afc6d"},{"introduced":"0"},{"last_affected":"b51c33194a7b7cfdb46dbb87508454b5c51e352d"},{"introduced":"0"},{"last_affected":"5fffd333fb13ce2e013dc0ae0e133fbb3d27dd12"},{"introduced":"0"},{"last_affected":"daeb0ef59f3366feb79f6a5de122511a13b84beb"},{"introduced":"0"},{"last_affected":"13a2edcc14f8be1dfb549525dafcc31586f09dd9"},{"introduced":"0"},{"last_affected":"a8851178b07ae98eae9ddfe23ba59109d51a93d6"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"8.8.9-p5"},{"introduced":"0"},{"last_affected":"8.8.9-patch2"},{"introduced":"0"},{"last_affected":"8.8.9-patch4"},{"introduced":"0"},{"last_affected":"8.8.9-patch7"},{"introduced":"0"},{"last_affected":"8.8.9-patch8"},{"introduced":"0"},{"last_affected":"8.8.10-patch1"},{"introduced":"0"},{"last_affected":"8.8.10-patch2"},{"introduced":"0"},{"last_affected":"8.8.10-patch3"},{"introduced":"0"},{"last_affected":"8.8.10-patch4"},{"introduced":"0"},{"last_affected":"8.8.10-patch6"},{"introduced":"0"},{"last_affected":"8.8.10-patch7"},{"introduced":"0"},{"last_affected":"8.8.11-patch2"}]}}],"versions":["8.7.10","8.7.11","8.7.6","8.7.7","8.7.9","8.8.0.beta1","8.8.10","8.8.10.p2","8.8.11","8.8.11.p2","8.8.2","8.8.3","8.8.4","8.8.5","8.8.6","8.8.7","8.8.8","8.8.9","8.8.9.p1","8.8.9.p2","8.8.9.p3","8.8.9.p4","8.8.9.p5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-9621.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"8.6.0"}]},{"events":[{"introduced":"8.7.0"},{"fixed":"8.7.11"}]},{"events":[{"introduced":"8.8.0"},{"fixed":"8.8.9"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6.0-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6.0-patch1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6.0-patch10"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6.0-patch11"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6.0-patch12"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6.0-patch2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6.0-patch3"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6.0-patch4"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6.0-patch5"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6.0-patch6"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6.0-patch7"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6.0-patch8"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6.0-patch9"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8.9-patch6"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8.9-patch9"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8.11-patch1"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}