CVE-2022-35508
Last modified
CVE-2022-35508 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) are vulnerable to SSRF when proxying HTTP requests between pve(pmg)proxy and pve(pmg)daemon. An attacker with an unprivileged account can craft an HTTP request to achieve SSRF and file disclosure of any files on the server. EPSS estimates a 1.18% chance of exploitation in the next 30 days.
Description
Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) are vulnerable to SSRF when proxying HTTP requests between pve(pmg)proxy and pve(pmg)daemon. An attacker with an unprivileged account can craft an HTTP request to achieve SSRF and file disclosure of any files on the server. Also, in Proxmox Mail Gateway, privilege escalation to the root@pam account is possible if the backup feature has ever been used, because backup files such as pmg-backup_YYYY_MM_DD_*.tgz have 0644 permissions and contain an authkey value. This is fixed in pve-http-server 4.1-3.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Proxmox | Proxmox Mail Gateway | All versions |
| Proxmox | Pve Http Server | < 4.1-3 |
| Proxmox | Virtual Environment | All versions |
References
- https://starlabs.sg/blog/2022/12-multiple-vulnerabilites-in-proxmox-ve--proxmox-mail-gateway/Exploit, Patch, Technical Description, Third Party Advisory
- https://starlabs.sg/blog/2022/12-multiple-vulnerabilites-in-proxmox-ve--proxmox-mail-gateway/Exploit, Patch, Technical Description, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-35508?
How severe is CVE-2022-35508?
How do I fix CVE-2022-35508?
Are you affected by CVE-2022-35508?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST