| Name | CVE-2022-30287 |
| Description | Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3090-1, DLA-3923-1 |
| Debian Bugs | 1012279 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| php-horde-turba (PTS) | bullseye | 4.2.25-5 | vulnerable |
| bullseye (security) | 4.2.25-5+deb11u2 | fixed | |
| bookworm, sid | 4.2.29-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| php-horde-turba | source | buster | 4.2.23-1+deb10u1 | DLA-3090-1 | ||
| php-horde-turba | source | bullseye | 4.2.25-5+deb11u2 | DLA-3923-1 | ||
| php-horde-turba | source | (unstable) | 4.2.25-6 | 1012279 |
https://blog.sonarsource.com/horde-webmail-rce-via-email/
https://lists.horde.org/archives/horde/Week-of-Mon-20220530/059225.html
Possible alternative patch: https://github.com/horde/turba/pull/7
Fixed by: https://github.com/horde/turba/commit/bc53d856ca87656cdc6e5fafd54f2360eb247e24 (v4.2.26)
Followup bugfix: https://github.com/horde/turba/commit/006affc530966704937c55611fadb1669026b9f6 (v4.2.27)
Fixed by: https://github.com/horde/turba/commit/69f67882539aa0909c3c8c15e37407e0aaa18d1c (v4.2.26)
Fixed by: https://github.com/horde/turba/commit/f09285c54673cd3d71d92a8c56da0a2c5ff329ce (v4.2.28)